Threat Intelligence Storm-2949 actor targets Microsoft 365 and Azure environments May 20, 2026 Share By SC Staff (Credit: Selman – stock.adobe.com) A threat actor, tracked as Storm-2949, is actively targeting Microsoft 365 and Azure production environments by abusing legitimate applications and administration features to steal sensitive data. The actor's primary objective is to exfiltrate as much data as possible from high-value assets within victim organizations. This sophisticated attack leverages social engineering and exploits identity and access management features, as reported by Bleeping Computer. Storm-2949 initiates attacks by targeting users with privileged roles, such as IT personnel or senior leadership, using social engineering tactics to obtain their Microsoft Entra ID credentials. The actor abuses the Self-Service Password Reset (SSPR) flow, tricking victims into approving multi-factor authentication (MFA) prompts by posing as IT support. After resetting the password and removing MFA controls, the attacker enrolls Microsoft Authenticator on their device. Subsequently, Storm-2949 uses the Microsoft Graph API and custom Python scripts to enumerate users, roles, and applications, and to identify persistence opportunities. The actor then accesses OneDrive and SharePoint to search for sensitive IT operational files and VPN configurations, facilitating lateral movement. The attack expands to Azure infrastructure, including virtual machines, storage accounts, and key vaults, where privileged Azure role-based access control (RBAC) roles are compromised to extract sensitive assets. The actor deploys tools like FTP, Web Deploy, and the Kudu console to access file systems and execute commands, and targets Azure Key Vaults to steal secrets and connection strings. Azure SQL servers and storage accounts are also compromised, with firewall rules modified and storage keys exfiltrated. Finally, the actor uses Azure VM management features to create rogue administrator accounts and attempts to disable Microsoft Defender protections. Microsoft recommends adopting the principle of least privilege, enabling MFA, and implementing robust cloud security best practices to defend against these attacks. Source: Bleeping Computer SC Staff Related Threat Management Verizon DBIR 2026: Vulnerability exploits top initial access as patching coverage falls Laura French May 20, 2026 The report also highlighted ransomware trends and the evolving role of AI in breaches. Threat Intelligence Malaysian government-linked campaign used hidden infrastructure for years SC Staff May 18, 2026 The operation, believed to be a long-term espionage effort, has maintained its command and control infrastructure for several years by employing sophisticated techniques to avoid detection. Threat Intelligence Interpol operation leads to 201 arrests in Middle East and North Africa cybercrime crackdown SC Staff May 18, 2026 Operation Ramz, the first of its kind in the region, targeted phishing services, malware, and scams over a four-month period, identifying 382 suspects and nearly 4,000 impacted victims. Related Events Cybercast Better Threat Intelligence Between Public and Private Sectors On-Demand Event Virtual Conference Nationwide Cybersecurity Summit 2025: Safeguarding America’s Digital Future On-Demand Event Virtual Conference Securing the Future of Finance: Strategies to Counter Modern Cyber Threats On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Account Harvesting Deauthentication Attack Defacement Distributed Scans Dumpster Diving Fault Line Attacks Google Hacking Hybrid Attack Password Cracking Reconnaissance You can skip this ad in 5 seconds