Storm-2949 Cloud Breach: Entra ID to Azure Attack

Introduction

Microsoft has published a deep dive into Storm-2949, a threat actor that transformed a single compromised identity into a cloud-wide breach spanning Microsoft 365 and Azure. For IT and security teams, this is an important reminder that identity is now the primary attack surface in cloud environments.

Rather than relying on traditional malware, the attacker abused legitimate administrative features, blended into normal cloud activity, and focused on large-scale data exfiltration.

What happened

Microsoft says the campaign unfolded in two major phases:

• Targeted identity compromise through social engineering and abuse of the Self-Service Password Reset (SSPR) process
• Cloud infrastructure compromise across Microsoft 365, Microsoft Entra ID, and Azure resources

Key attack steps

• Attackers reportedly impersonated IT support and convinced users to approve MFA prompts during fraudulent password reset activity.
• After resetting passwords, they removed existing authentication methods and enrolled Microsoft Authenticator on attacker-controlled devices for persistence.
• They used Microsoft Graph API to enumerate users, roles, applications, and service principals.
• In Microsoft 365, they accessed and exfiltrated files from OneDrive and SharePoint, including sensitive IT documentation.
• In Azure, they leveraged compromised identities with privileged RBAC assignments to expand access into production environments.
• Microsoft also observed attempts to access App Service, Key Vault, Storage, SQL, and Virtual Machines, enabling broader data theft and lateral movement.

Why this matters for administrators

This incident shows how quickly a compromised Entra ID account can become a full cloud control-plane problem. If attackers gain access to privileged identities, they can use native tools and APIs to move across SaaS, PaaS, and IaaS resources with fewer obvious indicators of compromise.

For Microsoft 365 and Azure admins, the biggest takeaway is that identity security, privilege management, and cross-environment visibility must be treated as one defense problem—not separate silos.

Recommended next steps

Organizations should review Microsoft’s mitigation guidance and take immediate action in a few areas:

• Harden SSPR and MFA processes to reduce social engineering exposure
• Review privileged role assignments in Entra ID and Azure RBAC
• Audit authentication method changes and suspicious password reset activity
• Monitor Graph API, OneDrive, and SharePoint activity for unusual discovery or bulk downloads
• Protect service principals, Key Vault, storage accounts, and VMs with least privilege and stronger monitoring
• Use behavior-based detection tools such as Microsoft Defender XDR to correlate identity, cloud, and endpoint signals

Bottom line

Storm-2949 demonstrates that modern cloud breaches often begin with identity manipulation, not malware. Security teams should use this case as a prompt to strengthen identity protections, validate privileged access paths, and improve detection coverage across Microsoft 365, Entra ID, and Azure.