Cyber attackers are turning Microsoft Azure’s identity and access controls into an entry point for cloud-wide data theft, with a campaign tracked as Storm-2949 showing how compromised accounts can be used to extract secrets, reach production applications and steal data across enterprise environments.The operation highlights a shift in cloud intrusions away from malware-led attacks towards abuse of legitimate administrative tools. Storm-2949 used stolen or manipulated access to Microsoft Entra ID accounts, then moved through Microsoft 365 and Azure services by exploiting permissions already available to the compromised identities. The attackers focused on sensitive business data stored in cloud applications, file-hosting platforms and production systems.
A central element of the campaign was the abuse of self-service password reset workflows. The attackers targeted users with privileged access, triggered password reset processes and used social engineering to persuade victims to approve authentication prompts. Once inside, they locked out legitimate users, enrolled or used strong authentication methods, and began mapping the victim’s cloud environment.
The attack did not depend on custom malware in its early stages. Instead, the operators used Microsoft 365 interfaces, Azure management-plane actions and valid credentials to blend into normal administrative activity. That approach made the intrusion harder to distinguish from routine cloud operations, especially where organisations lacked strong monitoring across identities, applications and infrastructure.
Storm-2949’s access to Azure role-based access control permissions proved decisive. Several compromised accounts held privileged custom roles across Azure subscriptions, giving the attackers scope to inspect and manipulate resources. The group moved from identity compromise into the victim’s Azure estate, targeting App Services, Key Vaults, Storage accounts, SQL databases and virtual machines.
Azure Key Vault became one of the most important targets. The service is designed to store secrets, certificates and cryptographic keys that applications rely on for authentication and secure communication. Once attackers gained an Owner role over a specific Key Vault, they altered access settings and retrieved dozens of secrets within minutes. These included database connection strings and identity credentials, which expanded the potential damage beyond the initially compromised account.
The stolen secrets gave the attackers a path into a production web application that had resisted earlier direct access attempts. They authenticated to the application, changed its password to maintain control and began extracting sensitive information. The attack demonstrates how access to backend secrets can undermine front-end security controls, even where network restrictions block direct entry to critical applications.
Storm-2949 also used Azure App Service publishing profiles to compromise secondary web applications in the same ecosystem. Publishing profiles can contain credentials for deployment endpoints, including FTP, Web Deploy and the Kudu management console. Kudu provides administrative access to app files, environment variables and command execution within the application context, making exposure of those credentials a serious risk.
The attackers extended the campaign into Azure Storage and SQL systems. They changed SQL firewall rules to permit access, connected using credentials obtained from the compromised Key Vault and later deleted modified rules to reduce traces. Storage account settings were also manipulated to allow access from attacker-controlled infrastructure, while account keys and shared access tokens enabled non-interactive retrieval of data.
Large volumes of information were downloaded from several storage accounts using scripted access through Azure software tools. The theft continued over multiple days as the attackers alternated between secret-based and OAuth-based authentication, adapting as access controls changed. Separate Microsoft 365 activity included mass downloads from OneDrive and other shared repositories, reflecting a strategy of collecting data from every identity and service the attackers could reach.
Virtual machines were used as another route for discovery and persistence. The attackers abused Azure VMAccess and Run Command features, which are intended for legitimate administration, to create local administrator access and execute scripts. They attempted to harvest workload identity tokens and retrieve more Key Vault secrets through the Azure Instance Metadata Service, although that effort was blocked where the managed identity lacked the required permissions.
The group also deployed ScreenConnect, a remote monitoring and management tool, on compromised machines. Scripts attempted to weaken endpoint defences, disable security protections, rename services to resemble legitimate Windows components and remove forensic artefacts such as event logs and command history. The tool was then used to run discovery commands, collect host details, enumerate domain information and search for credentials.
The campaign underlines a growing risk for organisations that rely heavily on cloud identity without enforcing tight privilege boundaries. Azure RBAC roles, Key Vault policies, App Service publishing credentials and storage keys can all become escalation points when excessive permissions are granted. The attack path shows that a single compromised identity can become a bridge into applications, databases, infrastructure and data stores.
Topics
Technology