Storm-2949 Hijacks Azure Identity and Key Vaults in Catastrophic Cloud Campaign

A sophisticated new threat actor is forcing corporate security leaders to re-evaluate their entire relationship with cloud architecture perimeters.

In a technical report published by Microsoft Threat Intelligence, researchers exposed a methodical, multi-layered campaign orchestrated by an adversary tracked as Storm-2949. Abandoning traditional endpoint-first infection vectors, the group executed an intensive operation focused entirely on cloud control planes.

By exploiting the human element at the identity layer, Storm-2949 successfully hijacked enterprise administrative infrastructure to compromise Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) boundaries alike.

As the Microsoft Threat Intelligence team details in the warning:

“Storm-2949 didn’t rely on traditional malware and other on-premises tactics, techniques, and procedures (TTPs). Instead, they leveraged legitimate cloud and Azure management features to gain control-plane and data-plane access…”

The campaign began with targeted social engineering aimed squarely at high-value corporate targets, including senior leadership and internal information technology (IT) personnel.

To bypass multi-factor authentication (MFA) controls, Storm-2949 turned the organization’s own account recovery tools into an entry point. Posing as corporate help-desk representatives, the attackers initiated Microsoft’s Self-Service Password Reset (SSPR) mechanism on behalf of target employees, tricking them into approving incoming automated verification prompts.

Once authorized, the threat actor dismantled the victims’ existing security profiles, wiping out phone numbers, email backups, and legitimate Microsoft Authenticator bindings. To cement long-term survival, the group registered their own mobile devices under the hijacked accounts.

Microsoft records the deliberate intent behind this identity takeover:

“The selection of victims, which included IT personnel and senior leadership, indicated deliberate targeting. … [The threat actor] enrolled Microsoft Authenticator on their own device, granting themselves persistent access and preventing the legitimate user from signing in.”

With initial access secured, the group deployed automated Python scripts leveraging Microsoft Graph API to programmatically enumerate the directory and target privileged custom Azure role-based access control (RBAC) structures. The group initially targeted SaaS data repositories, extracting thousands of critical files from OneDrive and SharePoint with a heavy emphasis on VPN and remote access documentation.

Armed with privileged custom RBAC credentials, Storm-2949 shifted its focus to the target organization’s live production Azure environment. Their primary objective was a high-value production Azure App Service web application containing sensitive corporate assets.

When network firewall gates blocked direct access to the main application, the group pivoted laterally across auxiliary web apps within the same ecosystem. They abused the microsoft.Web/sites/publishxml/action management-plane command to lift basic authentication publishing profiles, gaining access to underlying FTP, Web Deploy, and Kudu administrative consoles.

When these secondary environments failed to yield the target database assets, Storm-2949 recalibrated and launched an assault 
on the organization's Key Vault infrastructure. Microsoft captures the speed and severity of this escalation phase:

“Over the span of four minutes, the threat actor successfully manipulated Key Vault access configurations and accessed dozens of secrets within the said Key Vault. These secrets included database connection strings, identity credentials, and more…”

Using the database connection strings and identity credentials uncovered inside the Key Vault, the group successfully breached their primary target web application. To lock out administrators while they systematically drained corporate data, the attackers immediately overrode the application’s master password.

In tandem with the App Service compromise, the group utilized their high-level RBAC rights to systematically manipulate the network boundaries of core data stores. They issued microsoft.sql/servers/firewallrules/write commands to punch holes through the Azure SQL firewall, connecting directly to back-end databases to exfiltrate massive blocks of records. To evade downstream logging and erase their forensic footprint, the group deleted the modified firewall rules immediately after connection teardown.

The group applied the same technique to Azure Storage, utilizing microsoft.storage/storageaccounts/write to allow public blob access from actor-owned IP addresses. By abusing listkeys/action commands, they generated static Shared Access Signature (SAS) tokens to programmatically drain files via custom Python scripts over multiple days.

Finally, the threat actor targeted individual Azure Virtual Machines (VMs). They deployed the VMAccess extension to forcibly insert a backdoor local administrator account onto running servers, while using the Run Command function to push PowerShell scripts designed to strip out host-based telemetry. The script disabled Microsoft Defender real-time protection and behavior monitoring before installing a localized remote monitoring and management (RMM) tool, ScreenConnect, to harvest .pfx certificate files and search remote network file shares for cleartext password strings.

The operations of Storm-2949 demonstrate that when cloud identities are compromised, legitimate administrative features function as an unstoppable avenue for lateral movement.

To protect against similar identity-centric campaigns, organizations must heavily harden their access recovery vectors. Security teams should enforce strict conditional access policies, implement phishing-resistant MFA keys to permanently eliminate vulnerable push-notification dependencies, disable unneeded Azure VM management extensions, and deploy robust cross-domain behavioral analytics to catch and correlate anomalous administrative plane modifications before data exfiltration begins.