Enterprise Cloud Tenant: Storm-2949 Identity-Driven Breach

"Microsoft Threat Intelligence has disclosed a sophisticated, multi-layered intrusion in which a threat actor tracked as Storm-2949 escalated a single compromised Microsoft Entra ID identity into a cloud-wide enterprise…"

Microsoft Threat Intelligence has disclosed a sophisticated, multi-layered intrusion in which a threat actor tracked as Storm-2949 escalated a single compromised Microsoft Entra ID identity into a cloud-wide enterprise breach. The attack spanned Microsoft 365 applications, file-hosting services, and Azure-hosted production environments, with the adversary exfiltrating sensitive data across SaaS, PaaS, and IaaS layers without deploying traditional malware.

What Happened

According to Microsoft, Storm-2949 launched a focused campaign against a target organization with a singular objective: maximum exfiltration of sensitive data from high-value assets. The intrusion began with targeted social engineering to harvest Microsoft Entra ID credentials from specific users. Once authenticated, the actor pivoted from identity compromise into a full-spectrum assault on the victim's cloud estate.

Microsoft divides the campaign into two distinct phases. The first phase centered on identity compromise within Microsoft Entra ID and Microsoft 365. The second phase saw Storm-2949 expand control across the broader Azure cloud infrastructure, abusing legitimate administrative features to obtain both control-plane and data-plane access. From there, the actor executed code remotely on virtual machines, accessed Key Vaults and storage accounts, and moved laterally between cloud and endpoint environments while masquerading as routine administrative activity.

What Was Taken

Storm-2949 exfiltrated data from three primary surfaces inside the victim environment:

Microsoft 365 applications, including content reachable through compromised user identities.
File-hosting services tied to the tenant.
Azure-hosted production environments where the organization's production application ecosystem resides.

The breach also exposed secrets and sensitive cloud resources through Azure Key Vault and storage account access. Microsoft has not publicly disclosed the victim's identity, the volume of records exfiltrated, or specific data categories, but characterized the targets as the organization's high-value assets.

Why It Matters

This intrusion underscores a continuing shift in adversary tradecraft: rather than dropping malware or compromising endpoints, sophisticated actors are weaponizing the cloud control plane itself. By living off legitimate Azure and Microsoft 365 administrative features, Storm-2949 achieved outcomes comparable to traditional lateral movement while generating fewer conventional indicators of compromise.

For defenders, the takeaway is direct. As organizations scale cloud adoption, identity has become the dominant attack surface, and the line between privileged administration and intrusion activity is increasingly blurred. Detection strategies built around malware signatures or host-based telemetry alone will not catch this class of breach. Behavior-based detections that correlate identity, endpoint, and cloud signals are now table stakes.

The Attack Technique

Storm-2949's tradecraft, as documented by Microsoft, can be summarized as follows:

Initial access via social engineering targeting specific users to capture Microsoft Entra ID credentials.
Authenticated abuse of Microsoft 365 surfaces using the compromised identity.
Escalation into Azure by leveraging legitimate cloud and Azure management features rather than custom tooling or malware.
Acquisition of control-plane and data-plane access across SaaS, PaaS, and IaaS resources.
Remote code execution on virtual machines through native Azure management capabilities.
Access to Key Vaults and storage accounts to harvest secrets and sensitive content.
Lateral movement that blended into expected administrative behavior, complicating detection.

Notably absent from the playbook are traditional on-premises TTPs and bespoke malware. The campaign relied almost entirely on the misuse of authorized features once an identity had been hijacked.

What Organizations Should Do

Enforce phishing-resistant multifactor authentication across all Microsoft Entra ID accounts, prioritizing privileged and high-value identities.
Apply Conditional Access policies that restrict sign-ins by device compliance, location, and risk, and require step-up authentication for sensitive administrative operations.
Implement least privilege and Just-in-Time access for Azure roles using Privileged Identity Management, eliminating standing administrative rights wherever possible.
Audit and harden Key Vault, storage account, and VM management permissions, ensuring data-plane and control-plane access are separated and logged.
Deploy behavior-based detections that correlate identity, endpoint, and cloud signals, such as those offered by Microsoft Defender, to catch abuse of legitimate administrative features.
Run tabletop exercises modeled on identity-driven cloud breaches, validating playbooks for token revocation, session invalidation, and rapid containment of compromised cloud identities.

Sources: How Storm-2949 turned a compromised identity into a cloud-wide breach | Microsoft Security Blog