Storm-2949 is a threat actor with little public track record beyond this campaign, in which it turned a single compromised identity into a breach spanning an organization's entire Azure environment. The intrusion moved from one Microsoft 365 account into production infrastructure across Key Vault, Storage, SQL, App Service and virtual machines, relying on nothing but Azure's own management-plane operations and a legitimate remote-access tool rather than any custom malware, and repeating the same identity-to-infrastructure playbook across every account it managed to compromise.
Initial access came through social engineering consistent with abuse of Microsoft's Self-Service Password Reset (SSPR) process, with the actor impersonating internal IT support to trick targeted users, including senior leadership and privileged role holders, into completing fraudulent MFA prompts during a password reset flow. Once a password was reset, the actor enrolled its own device in Microsoft Authenticator and stripped the legitimate user's existing authentication methods to lock in exclusive control of the account, then used the compromised identity's privileged custom RBAC roles to move from Microsoft 365 into the associated Azure subscriptions, running a custom Python script against the Microsoft Graph API to enumerate users and applications by name pattern and role.
From there the actor abused a chain of Azure management-plane operations rather than exploiting any vulnerability: it retrieved App Service publishing profiles to reach FTP, Web Deploy and Kudu credentials, listed storage account keys across multiple accounts to obtain Shared Key access, manipulated Key Vault access policies to pull secrets including database connection strings, and rewrote SQL server firewall rules to connect directly with stolen credentials before deleting the rule changes to cover its tracks. To reach the endpoint layer without ever holding operating-system credentials, the actor used its existing Azure permissions to invoke the VM Run Command feature, pushing a PowerShell script that installed the ScreenConnect remote monitoring tool, renamed to resemble a legitimate Windows component, and separately used the VMAccess extension to attempt adding a local administrator account as a backup path onto the machine. From that foothold it harvested credentials, disabled Defender's real-time protection, and cleared Windows event logs, while its cloud collection culminated in bulk downloads from OneDrive and SharePoint and programmatic enumeration and download of Azure Storage blobs, repeating the same theft pattern across every compromised account.
IOCs (3)
Scan your environment for IOCs →IP ADDRESS 3
176.123.4.4491.208.197.87185.241.208.243Detections (10)
Enable detections →Connect your environment for suggestions and queries personalized to your security telemetry.
- Azure Storage Account Keys Listed Across Multiple Accounts
- Security Event Log Cleared
- Microsoft Graph API Tenant Enumeration Burst
- Bulk SharePoint File Download by Single User
- Entra ID Authentication Methods Deleted Immediately After Password Reset
- Azure App Service Publish Profile Retrieved Then Kudu Console Accessed
- Azure VM Run Command Used to Install a Renamed Remote Access Tool
- Azure Key Vault Mass Secret Retrieval in a Short Window
- Azure SQL Firewall Rule Opened, Used to Connect, Then Deleted