HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Threat Actor Storm‑2949 Leverages Stolen Credentials for Cloud‑Wide Data Theft Across Azure Tenants

Storm‑2949 compromised legitimate Azure AD accounts and pivoted across multiple cloud tenants, stealing emails, documents, and configuration data without deploying malware. The technique highlights the need for robust credential protection and zero‑trust controls in third‑party risk programs.

LiveThreat™ Intelligence · 📅 May 19, 2026· 📰 microsoft.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
microsoft.com

Threat Actor Storm‑2949 Leverages Stolen Credentials for Cloud‑Wide Data Theft Across Azure Tenants

What Happened — Storm‑2949 compromised legitimate user credentials and used them to pivot across multiple Azure services, exfiltrating data from dozens of tenant environments without deploying malware. The campaign demonstrates how a single identity breach can evolve into a multi‑tenant cloud breach.

Why It Matters for TPRM

  • Credential‑based attacks bypass many traditional perimeter controls, exposing downstream vendors.
  • Cloud‑wide lateral movement can affect numerous third‑party customers of a single SaaS provider.
  • Absence of malware makes detection harder, increasing the risk of prolonged exposure.

Who Is Affected — Cloud service providers (especially Microsoft Azure), SaaS vendors, and any organization that relies on Azure AD for identity management.

Recommended Actions — Review and tighten privileged access management, enforce MFA for all privileged accounts, implement continuous credential‑anomaly monitoring, and validate that third‑party vendors enforce zero‑trust principles.

Technical Notes — Attack vector: stolen credentials (likely obtained via phishing or credential dumping). No known CVE; the threat leveraged legitimate API calls and Azure RBAC mis‑use. Data types exfiltrated included emails, documents, and configuration files. Source: Microsoft Security Blog

📰 Original Source
https://www.microsoft.com/en-us/security/blog/2026/05/18/storm-2949-turned-compromised-identity-into-cloud-wide-breach/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →