Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
Storm-2949, a sophisticated threat actor first seen in 2026, has been conducting a multi-phase, identity-driven cloud breach campaign targeting Microsoft 365 and Azure environments worldwide. The Storm-2949 campaign abused Microsoft’s Self-Service Password Reset (SSPR) process through social engineering to compromise privileged user accounts. This Storm-2949 cloud attack targeted Microsoft Entra ID, Microsoft 365, and Microsoft Azure infrastructure across SaaS, PaaS, and IaaS deployments.
The Storm-2949 threat actor compromised privileged user accounts, including IT staff and senior leadership, through sophisticated social engineering tactics. Once initial access was obtained, Storm-2949 leveraged legitimate Azure management features to escalate access across Microsoft 365 and Azure infrastructure. The Storm-2949 campaign exfiltrated sensitive data from OneDrive, SharePoint, Azure Key Vaults, Storage accounts, SQL databases, and production web applications without deploying traditional malware. This Storm-2949 cloud takeover campaign demonstrates advanced techniques for abusing legitimate cloud features to maintain persistence and steal data from Microsoft cloud environments.
The Storm-2949 threat actor has been targeting Microsoft 365 and Azure production environments by abusing legitimate applications and built-in administrative features to steal sensitive data. The Storm-2949 campaign began with a carefully orchestrated social engineering operation that exploited Microsoft’s Self-Service Password Reset (SSPR) mechanism. Storm-2949 attackers initiated password reset requests for selected employees, including IT administrators and senior executives, before posing as internal IT support staff to contact the victims directly. Under the guise of routine account verification, users were tricked into approving malicious multifactor authentication (MFA) prompts in this Storm-2949 social engineering attack, unknowingly handing control of their accounts to the attackers.
Once access was obtained in the Storm-2949 campaign, the threat actor reset passwords, removed all previously registered authentication methods, and enrolled their own Microsoft Authenticator instance on attacker-controlled devices. This effectively locked out legitimate users while granting Storm-2949 persistent control over the compromised accounts. The same Storm-2949 technique was repeated across several users within the organization, allowing the attackers to expand their foothold steadily. After compromising the identities, Storm-2949 leveraged the Microsoft Graph API through a custom Python-based tool to enumerate users, applications, service principals, and privileged roles within the Microsoft Entra ID environment. Storm-2949 activity showed a clear focus on identifying high-value accounts and uncovering additional paths for privilege escalation and long-term persistence.
With multiple cloud accounts under their control, Storm-2949 moved deeper into Microsoft 365 services, targeting OneDrive and SharePoint repositories to locate and exfiltrate sensitive information. The Storm-2949 attackers specifically searched for IT documentation related to VPN setups, remote access workflows, and internal infrastructure, likely to facilitate further lateral movement into the victim’s broader network. In one Storm-2949 case, thousands of files were downloaded from a single OneDrive account in a single operation. The Storm-2949 campaign later shifted toward Azure, where the compromised accounts already possessed privileged custom Azure RBAC roles across multiple subscriptions. Storm-2949 targeted Azure App Services, Key Vaults, SQL databases, Storage accounts, and virtual machines in an effort to gain wider access across the production environment.
Although direct access to a primary production web application was initially blocked by gateway protections in the Storm-2949 attack, the attackers bypassed the restriction by compromising auxiliary web apps and extracting deployment credentials through Azure publishing profiles. Within minutes, Storm-2949 altered Key Vault access policies and retrieved numerous secrets, including database credentials and identity tokens, significantly increasing the scope of the breach. Storm-2949 also manipulated SQL firewall rules, enabled public access to Azure Storage accounts, and harvested SAS tokens and account keys to exfiltrate large volumes of blob data over several days using custom Azure SDK-based scripts.
On the infrastructure side, Storm-2949 abused the VMAccess extension to create local administrator accounts on virtual machines and used Azure Run Command to deploy scripts aimed at stealing managed identity tokens through the Azure Instance Metadata Service (IMDS). Storm-2949 further installed ScreenConnect on compromised systems after disabling Microsoft Defender protections, disguising the remote access software as legitimate Windows components. From there, Storm-2949 conducted host discovery, credential harvesting, certificate theft, and file-share scanning for sensitive information before attempting to erase traces of their activity by clearing event logs, deleting temporary files, and removing command history artifacts.
Organizations must enforce phishing-resistant MFA for privileged accounts to defend against Storm-2949 tactics. Require phishing-resistant MFA methods such as FIDO2 security keys or certificate-based authentication for all administrators, IT staff, and senior leadership accounts to prevent SSPR-based social engineering attacks like those used by Storm-2949 from succeeding. This is the most critical defense against the Storm-2949 campaign’s initial access methodology.
Pre-register MFA for all privileged users to close the window of opportunity exploited by Storm-2949. Ensure that all users with privileged roles already have registered MFA methods prior to any reset events, reducing the window for Storm-2949 attackers to enroll their own device during an SSPR flow. This prevents the Storm-2949 technique of registering attacker-controlled authenticators.
Apply least privilege for Azure RBAC to limit the impact of compromised accounts in Storm-2949 attacks. Audit and reduce the scope of custom Azure RBAC roles across all subscriptions, ensuring that no single user account holds Owner or overly broad permissions across Key Vaults, Storage accounts, SQL servers, and App Services simultaneously. This limits Storm-2949’s ability to escalate privileges and move laterally.
Harden Azure Key Vault access to protect against Storm-2949 exfiltration tactics. Restrict public network access to Key Vaults via private endpoints, enable purge protection, retain Key Vault logs for at least one year, regularly audit RBAC role assignments, and prefer Azure RBAC over Key Vault access policies. This prevents Storm-2949 from easily accessing and exfiltrating secrets.
Secure Azure Storage and SQL configurations to defend against Storm-2949 data theft. Enforce private endpoints for Azure Storage accounts, disable anonymous blob access, use Azure Policy to prevent public access configurations, and configure SQL server firewall rules to restrict access to known trusted IP ranges with monitoring for unauthorized changes. This blocks Storm-2949’s ability to enable public access and exfiltrate data.
Enable tamper protection on endpoints to prevent Storm-2949 from disabling security controls. Ensure Microsoft Defender Antivirus tamper protection is enabled across all endpoints and VMs to prevent Storm-2949 threat actors from disabling real-time protection and behavior monitoring as they did in observed attacks.
The Storm-2949 campaign employs numerous MITRE ATT&CK tactics and techniques across the attack lifecycle. For Initial Access, Storm-2949 uses Valid Accounts (T1078), specifically Cloud Accounts (T1078.004), and Phishing (T1566), specifically Spearphishing via Service (T1566.003), to compromise Microsoft 365 and Azure accounts. Under Execution, Storm-2949 leverages Command and Scripting Interpreter (T1059), including PowerShell (T1059.001) and Python (T1059.006), to execute malicious code.
For Persistence, Storm-2949 employs Account Manipulation (T1098), specifically Device Registration (T1098.005), by enrolling attacker-controlled MFA devices. Defense Evasion tactics include Impair Defenses (T1562) through Disable or Modify Tools (T1562.001), Indicator Removal (T1070) via Clear Windows Event Logs (T1070.001), and Masquerading (T1036) through Masquerade Task or Service (T1036.004).
Storm-2949 uses Collection techniques including Data from Cloud Storage (T1530) to exfiltrate information from Microsoft 365 and Azure. Discovery tactics include Account Discovery (T1087) focusing on Cloud Account (T1087.004) and Cloud Infrastructure Discovery (T1580) to map the victim environment. For Credential Access, Storm-2949 employs Steal Application Access Token (T1528) and Unsecured Credentials (T1552), specifically Credentials In Files (T1552.001).
Lateral Movement in Storm-2949 attacks uses Remote Services (T1021), specifically Cloud Services Dashboard (T1021.007), to move across the cloud environment. Command and Control is established through Remote Access Software (T1219), including ScreenConnect. Finally, Exfiltration occurs through Exfiltration Over Web Service (T1567) to steal data from compromised Microsoft 365 and Azure environments.
Three IPv4 addresses have been identified as indicators of compromise associated with the Storm-2949 campaign: 176.123.4.44, 91.208.197.87, and 185.241.208.243. Organizations should monitor for connections to these Storm-2949 IP addresses and block them at network perimeters.
Get through updates and upcoming events, and more directly in your inbox