How Storm-2949 turned a compromised identity into a cloud-wide breach

Storm-2949 turned stolen credentials into a cloud-wide breach, moving from identity compromise to large-scale data theft without using malware. This incident shows how threat actors can exploit trusted systems to operate undetected. The post How Storm-2949 turned a compromised identity into a cloud-wide breach appeared first on Microsoft Security Blog .

In this article Attack chain overview Cloud compromise: Microsoft Entra ID and Microsoft 365 Initial access and persistence through targeted social engineering and SSPR abuse Directory discovery and persistence Microsoft 365 discovery and exfiltration Cloud compromise: Microsoft Azure Azure App Service and Key Vault compromise Azure Storage and SQL data exfiltration Azure Virtual Machines compromise ScreenConnect installation and defense evasion Post-compromise activity using ScreenConnect Mitigation and protection guidance Ensure adequate security coverage across attack surfaces Security hardening and best practices General hygiene recommendations Indicators of compromise (IOCs) Microsoft Defender XDR detections Learn more Microsoft Threat Intelligence recently uncovered a methodical, sophisticated, and multi-layered attack, where a threat actor we track as Storm-2949 launched a relentless campaign with a singular focus: to exfiltrate as much sensitive data from a target organization’s high-value assets as possible.

The attack exfiltrated data from Microsoft 365 applications, file-hosting services, and Azure-hosted production environments, where the organization’s production application ecosystem resides. What began as a targeted identity compromise rapidly evolved into a full-spectrum assault on the organization’s cloud infrastructure. The attack spanned various Azure resources, with emphasis on software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) layers. Storm-2949 didn’t rely on traditional malware and other on-premises tactics, techniques, and procedures (TTPs).

Instead, they leveraged legitimate cloud and Azure management features to gain control-plane and data-plane access, which they then used to execute code remotely on VMs, and access sensitive cloud resources such as Key Vaults and storage accounts, among others. These activities allowed them to move laterally across cloud and endpoint environments while blending into expected administrative behavior. As organizations continue to adopt cloud infrastructure at scale, threat actors are increasingly targeting identity and control plane access rather than individual devices.

When cloud identities are compromised, legitimate administrative features can be used to achieve outcomes similar to traditional lateral movement, often with fewer indicators of compromise. Behavior-based detections across endpoints, cloud environments, and identities—such as those provided by Microsoft Defender—can help teams identify and correlate these activities. In this blog, we unpack the full attack chain from initial access to cloud and endpoint takeover. We then offer actionable insights into how organizations can detect, contain, and prevent similar identity-driven threats in their environments.

Attack chain overview The campaign that Storm-2949 deployed can be divided into two phases: targeted identity compromise and cloud infrastructure compromise.