Hackers Exploit Entra ID Accounts to Steal Microsoft 365, Azure Data

Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data.

A highly sophisticated cyberattack campaign carried out by a threat actor tracked as Storm-2949, targeting Microsoft Entra ID accounts to steal sensitive data from Microsoft 365 and Azure environments.

Instead of deploying malicious payloads, Storm-2949 abused legitimate cloud management features to gain deep access across SaaS, PaaS, and IaaS environments.

The attack began with targeted social engineering aimed at high-value users, including IT staff and senior leadership. The threat actor exploited Microsoft’s Self-Service Password Reset (SSPR) process by tricking users into approving multifactor authentication (MFA) requests.

In these scenarios, attackers impersonated IT support personnel and convinced victims to approve MFA prompts under the pretense of account verification.

According to Microsoft, the attack demonstrates a growing trend in cloud-focused intrusions, where attackers prioritize identity compromise over traditional malware-based techniques.

Once approved, the attackers reset passwords, removed existing authentication methods, and registered their own MFA devices effectively locking out legitimate users while maintaining persistent access.

Hackers Exploit Entra ID

After gaining access, Storm-2949 rapidly began exfiltrating data from Microsoft 365 services, including OneDrive and SharePoint.

The attackers specifically targeted sensitive documents such as VPN configurations and remote access procedures, indicating preparation for further lateral movement.

In some cases, thousands of files were downloaded in bulk using the OneDrive web interface. The attackers repeated this process across multiple compromised accounts to maximize data collection.

With access to privileged Entra ID accounts, the threat actor expanded into Azure environments. Leveraging role-based access control (RBAC) permissions, they targeted critical resources such as:

• Azure App Services.
• Azure Key Vaults.
• Azure Storage accounts.
• Azure SQL databases.

A key tactic involved abusing the Azure management plane operation to retrieve publishing profiles of web apps. This allowed access to deployment credentials and administrative interfaces like Kudu.

Although initial attempts to access primary production applications failed, the attackers pivoted strategically.

Storm-2949 shifted focus to Azure Key Vault, where they had Owner-level permissions. Within minutes, they modified access policies and extracted dozens of secrets, including credentials and connection strings.

These secrets enabled access to high-value production applications, after which the attackers changed credentials to maintain control and began extracting sensitive data.

The Azure Instance Metadata Service (IMDS) and using it to authenticate to and retrieve secrets from the production web app-related Key Vault. 

The attackers manipulated Azure configurations to facilitate large-scale data exfiltration:

• Modified SQL firewall rules to gain database access
• Enabled public access to storage accounts
• Retrieved storage account keys and SAS tokens
• Used custom Python scripts with Azure SDK to download data

Notably, they cleaned up firewall changes afterward to evade detection.

Storm-2949 also targeted Azure Virtual Machines using built-in administrative tools. By abusing the VMAccess extension, they created new administrator accounts and used Run Command to execute scripts remotely.

They attempted credential harvesting and deployed ScreenConnect, a remote monitoring tool, for persistent access. The attackers also tried to turn off Microsoft Defender protections and clear logs to reduce visibility.

Detection and Defense

Microsoft Defender played a critical role in identifying the attack by correlating signals across identity, cloud, and endpoint environments. This highlights the importance of integrated detection systems in modern cloud security.

This campaign underscores a shift toward identity-driven attacks in cloud environments. By abusing legitimate administrative tools, attackers can operate stealthily with minimal indicators of compromise.

Organizations are advised to:

• Strengthen MFA processes and monitor for suspicious approvals.
• Limit RBAC permissions using least privilege principles.
• Monitor Microsoft Graph API activity for unusual queries.
• Secure Key Vault access and audit secret usage.
• Enable cross-domain detection using solutions like Microsoft Defender XDR.

As cloud adoption accelerates, protecting identity and control-plane access is becoming critical to preventing large-scale data breaches.

Indicators of compromise (IOCs)

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.