Threat Actor Storm‑2949 Exploits Microsoft SSPR to Steal Azure and Microsoft 365 Data
What Happened – A credential‑stealing campaign (tracked as Storm‑2949) leveraged Microsoft’s Self‑Service Password Reset (SSPR) flow to hijack privileged accounts in Microsoft 365 and Azure. The attackers used social‑engineering to obtain MFA approval, reset passwords, and then exfiltrated files from OneDrive, SharePoint, and a range of Azure services.
Why It Matters for TPRM –
- Credential‑based attacks bypass traditional perimeter controls and can compromise multiple SaaS and cloud services.
- Data exfiltration from both productivity and infrastructure layers expands the attack surface of any third‑party relying on Microsoft 365/Azure.
- Abuse of native admin features (SSPR, Azure RBAC) demonstrates the need for strict privileged‑access governance across cloud providers.
Who Is Affected – Cloud‑service users (technology/SaaS), enterprises with Microsoft 365 or Azure subscriptions, and any organization that delegates privileged roles to external or internal staff.
Recommended Actions –
- Review all SSPR configurations and enforce conditional access policies that block password‑reset requests from high‑risk locations.
- Enforce MFA for privileged accounts with hardware‑based tokens and monitor MFA approval events for anomalies.
- Conduct a privileged‑access audit of Azure RBAC roles; remove unnecessary custom roles and enforce least‑privilege.
- Deploy UEBA or SIEM alerts for bulk file downloads from OneDrive/SharePoint and for unusual Graph API activity.
Technical Notes – The actor used phishing‑style social engineering to obtain Entra ID credentials, then abused the SSPR flow to reset passwords and enroll their own authenticator. Post‑compromise, they leveraged Microsoft Graph API and custom Python scripts to enumerate users, roles, and service principals, and harvested data from OneDrive, SharePoint, Azure VMs, Storage Accounts, Key Vaults, App Services, and SQL databases. No specific CVE was cited; the attack hinges on legitimate administrative features. Source: BleepingComputer