| SYMBOL | COMMON_NAME | aka. SYNONYMS |
Storm-2949 is a sophisticated threat actor that exploited Microsoft’s Self-Service Password Reset process to compromise high-value accounts, primarily targeting IT personnel and senior leadership. They leveraged Azure tools and APIs to conduct reconnaissance, exfiltrate sensitive data from Microsoft 365 applications, and manipulate Azure resources, including Key Vaults and SQL databases. The actor employed social engineering tactics to bypass MFA and utilized custom Python scripts for directory discovery and data exfiltration. Their operations included lateral movement across cloud and endpoint environments while mimicking legitimate administrative behavior.
There are currently no families associated with this actor.
| 2026-05-18
⋅
Microsoft
⋅
How Storm-2949 turned a compromised identity into a cloud-wide breach Storm-2949 |