HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Threat Actor Storm‑2949 Exploits Microsoft SSPR to Steal Azure and Microsoft 365 Data

A credential‑stealing campaign (Storm‑2949) abused Microsoft’s Self‑Service Password Reset to hijack privileged accounts, then exfiltrated files from OneDrive, SharePoint, and Azure services. Organizations using Microsoft 365 or Azure should reassess SSPR policies and privileged‑access controls.

LiveThreat™ Intelligence · 📅 May 20, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Threat Actor Storm‑2949 Exploits Microsoft SSPR to Steal Azure and Microsoft 365 Data

What Happened – A credential‑stealing campaign (tracked as Storm‑2949) leveraged Microsoft’s Self‑Service Password Reset (SSPR) flow to hijack privileged accounts in Microsoft 365 and Azure. The attackers used social‑engineering to obtain MFA approval, reset passwords, and then exfiltrated files from OneDrive, SharePoint, and a range of Azure services.

Why It Matters for TPRM

  • Credential‑based attacks bypass traditional perimeter controls and can compromise multiple SaaS and cloud services.
  • Data exfiltration from both productivity and infrastructure layers expands the attack surface of any third‑party relying on Microsoft 365/Azure.
  • Abuse of native admin features (SSPR, Azure RBAC) demonstrates the need for strict privileged‑access governance across cloud providers.

Who Is Affected – Cloud‑service users (technology/SaaS), enterprises with Microsoft 365 or Azure subscriptions, and any organization that delegates privileged roles to external or internal staff.

Recommended Actions

  • Review all SSPR configurations and enforce conditional access policies that block password‑reset requests from high‑risk locations.
  • Enforce MFA for privileged accounts with hardware‑based tokens and monitor MFA approval events for anomalies.
  • Conduct a privileged‑access audit of Azure RBAC roles; remove unnecessary custom roles and enforce least‑privilege.
  • Deploy UEBA or SIEM alerts for bulk file downloads from OneDrive/SharePoint and for unusual Graph API activity.

Technical Notes – The actor used phishing‑style social engineering to obtain Entra ID credentials, then abused the SSPR flow to reset passwords and enroll their own authenticator. Post‑compromise, they leveraged Microsoft Graph API and custom Python scripts to enumerate users, roles, and service principals, and harvested data from OneDrive, SharePoint, Azure VMs, Storage Accounts, Key Vaults, App Services, and SQL databases. No specific CVE was cited; the attack hinges on legitimate administrative features. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/microsoft-self-service-password-reset-abused-in-azure-data-theft-attacks/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →