By Bill Toulas
Publication Date: 2026-05-19 19:35:00
A threat actor targeting Microsoft 365 and Azure production environments is stealing data in attacks that abuse legitimate applications and administration features.
Microsoft tracks the actor as Storm-2949 and says that the purpose of the attacks is “to exfiltrate as much sensitive data from a target organization’s high-value assets as possible.”
Storm-2949 used social engineering to target users with privileged roles, such as IT personnel or members of senior leadership, and obtain their Microsoft Entra ID credentials to gain access to data in Microsoft 365 applications.
Microsoft believes that the actor abused the Self-Service Password Reset (SSPR) flow, in which an attacker initiates a password reset for a targeted employee’s account and then tricks the victim into approving multi-factor authentication (MFA) prompts.
To make the ruse more convincing, the hacker poses as an IT support employee requiring urgent verification of the account.
The hacker then reset…
