EXECUTIVE SUMMARY
A methodical and multi-layered attack, attributed to a threat actor tracked as Storm-2949, has been uncovered by Microsoft Threat Intelligence. The attack's singular focus was to exfiltrate sensitive data from a target organization's high-value assets. The campaign targeted Microsoft 365 applications, file-hosting services, and Azure-hosted production environments, where the organization's production application ecosystem resides.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A methodical and multi-layered attack, attributed to a threat actor tracked as Storm-2949, has been uncovered by Microsoft Threat Intelligence. The attack's singular focus was to exfiltrate sensitive data from a target organization's high-value assets. The campaign targeted Microsoft 365 applications, file-hosting services, and Azure-hosted production environments, where the organization's production application ecosystem resides.[emaillocker id="1283"]
The attack chain began with a targeted identity compromise, which rapidly evolved into a full-spectrum assault on the organization's cloud infrastructure. Storm-2949 leveraged legitimate cloud and Azure management features to gain control-plane and data-plane access, executing code remotely on VMs and accessing sensitive cloud resources. The threat actor then used this access to conduct directory discovery, establish persistence, and exfiltrate files from cloud storage services.
As the attack progressed, Storm-2949 expanded its access to additional cloud resources, including Azure Storage accounts and an Azure SQL server, ultimately leading to the exfiltration of sensitive data. Organizations are increasingly adopting cloud infrastructure at scale, making it a prime target for threat actors. When cloud identities are compromised, legitimate administrative features can be used to achieve outcomes similar to traditional lateral movement, often with fewer indicators of compromise. To mitigate such threats, behavior-based detections across endpoints, cloud environments, and identities can help identify and correlate malicious activities.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.006 | Command and Scripting Interpreter | Python |
| Execution | T1106 | Native API | — |
| Persistence | T1098 | Account Manipulation | — |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Defense Evasion | T1562.004 | Impair Defenses | Disable or Modify System Firewall |
| Credential Access | T1555.004 | Credentials from Password Stores | Windows Credential Manager |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Initial Access | T1078 | Valid Accounts | — |
| Exfiltration | T1567.001 | Exfiltration Over Web Service | Exfiltration to Code Repository |
REFERENCES:
reports contain further technical details:
https://www.microsoft.com/en-us/security/blog/2026/05/18/storm-2949-turned-compromised-identity-into-cloud-wide-breach/