Microsoft has identified a new threat actor, designated Storm-2949, that seizes Azure cloud environments without deploying malware — instead impersonating IT support staff, social engineering victims into approving fake MFA prompts through the Self-Service Password Reset flow, and then using the hijacked accounts to extract data from Microsoft 365 and Azure Key Vaults.
How Storm-2949 Executes a No-Malware Azure Account Takeover
Storm-2949 specifically targets high-privilege Azure users — IT personnel and senior executives — on the assumption that these accounts carry the access rights needed to reach sensitive cloud resources. The attack begins with a phone call or message in which the threat actor poses as IT support staff requesting urgent MFA verification.
When the victim approves the fake MFA prompt, Storm-2949 uses the resulting SSPR authorization to reset the account password, disable the victim’s existing MFA enrollment, and register an attacker-controlled authenticator device. The sequence achieves persistent account control: the legitimate user is locked out and the attacker’s authenticator now controls future login approvals. No exploit or malware is required at any stage of the operation.
What Storm-2949 Collects from Microsoft 365 Environments
From compromised Microsoft 365 accounts, Storm-2949 collects user data, application configurations, VPN configurations, and files stored in OneDrive and SharePoint. The breadth of that data reflects how much operational information organizations store in Microsoft cloud collaboration tools — personnel records, project documents, network architecture files, and application credentials can all be accessible from a single compromised M365 account with sufficient privileges.
Azure Key Vault Theft and Its Downstream Consequences for Cloud Infrastructure
The more strategically damaging element of Storm-2949’s access is the pivot to Azure Key Vault credential extraction. Key Vaults store database connection strings, API keys, and application secrets used by Azure-hosted services. Once those secrets are extracted, the initial social engineering compromise chains into a much broader access capability: stolen database credentials can be used to query production databases, extracted API keys can interact with connected services, and application secrets can impersonate backend service identities. The Key Vault pivot converts an identity compromise into a broad infrastructure access event.
Why Pure Identity Attacks Are Resistant to Standard Enterprise Defenses
Storm-2949’s technique has no malware dependency, which means it bypasses endpoint detection tools, antivirus signatures, and the behavioral analytics that form the core of most organizations’ detection stacks. The attack surface is entirely social and identity-based — a phone call and an MFA approval are the only requirements. Organizations that have heavily invested in technical endpoint security controls without equally hardening their identity verification and SSPR processes face a gap this technique exploits directly.
Similarities to Scattered Spider and Storm-2372 Techniques
Microsoft’s designation of Storm-2949 as a distinct threat actor reflects the view that this campaign is not an operational variant of known groups, despite similarities to social engineering techniques used by Scattered Spider and Storm-2372 in prior high-profile cloud account compromises. Both groups also relied on social engineering against IT and helpdesk flows to achieve initial cloud access without malware. The new designation indicates Storm-2949 is an active, evolving operation with its own infrastructure and targeting patterns.
Organizations should audit whether SSPR policies allow password resets without a second verification channel that is independent of the MFA flow being reset, and whether privileged account modifications — including MFA device registration changes — require out-of-band approval from a secondary control.
