A single helpdesk phone call was all it took.
Microsoft's Threat Intelligence team has published a detailed breakdown of how a threat actor it tracks as Storm-2949 weaponized Microsoft's own Self-Service Password Reset (SSPR) feature — a routine IT tool — to trigger a sweeping breach across a victim organization's entire cloud environment, spanning Microsoft 365, Azure App Services, Key Vaults, SQL databases, and virtual machines.
The attack never used traditional malware. Instead, Storm-2949 impersonated IT support staff and called targeted employees, convincing them to approve what looked like routine multi-factor authentication (MFA) prompts.
Once victims clicked "Approve," the attacker hijacked the password reset flow, wiped the legitimate user's authentication methods, and enrolled their own device as the new trusted authenticator — effectively locking the real user out permanently.
Using those hijacked accounts — which held privileged Azure role-based access control (RBAC) permissions — the attackers quietly mapped the organization's tenant using automated Microsoft Graph API queries, then began draining OneDrive and SharePoint, targeting VPN configurations and remote access documentation.
 |
| Storm-2949 attack diagram | Microsoft |
That was just phase one.
According to Microsoft's Threat Intelligence, on the Azure side, Storm-2949 pivoted to App Service publishing profiles to harvest deployment credentials, then raided an Azure Key Vault in under four minutes, pulling database connection strings, identity credentials, and application secrets. Those secrets unlocked the crown jewel: the organization's primary production web application, whose password they changed to maintain control.
From there, they manipulated SQL firewall rules to extract database contents, abused Azure Storage account keys to exfiltrate blob data over multiple days using a custom Python script, and deployed ScreenConnect — a legitimate remote management tool — on virtual machines after disabling Microsoft Defender's real-time protection. Post-compromise activity included harvesting .pfx certificate files and scanning network shares for password strings.
The entire operation exploited legitimate administrative features rather than vulnerabilities, making detection significantly harder.
Microsoft's guidance is direct: enforce phishing-resistant MFA (hardware keys or certificate-based authentication) for all privileged accounts, restrict SSPR to pre-registered methods only, audit Azure RBAC assignments regularly, and deploy Defender for Cloud across Key Vault, Storage, and App Service workloads.
Three attacker-controlled IP addresses have been published as indicators of compromise: 176.123.4[.]44, 91.208.197[.]87, and 185.241.208[.]243 (the ScreenConnect C2 server).
The broader warning is hard to miss — in cloud environments, identity is the perimeter.