Ethical Hacking News
A recent security report by Microsoft has exposed a critical vulnerability in its Self-Service Password Reset feature, which allows attackers to gain unauthorized access to sensitive data stored in Azure environments. This threat, identified as "Storm-2949," poses a significant risk to organizations using Microsoft 365 and Azure production environments.
Microsoft has exposed a critical vulnerability in its Self-Service Password Reset (SSPR) feature, allowing attackers to gain unauthorized access to sensitive data.The Storm-2949 threat actor targets users with privileged roles using social engineering tactics and multi-factor authentication (MFA) prompts.The attacker leverages compromised user accounts to access sensitive data stored in OneDrive and SharePoint, including VPN configurations and IT operational files.The attack also exploits multiple identities with privileged custom Azure role-based access control (RBAC) roles on multiple Azure subscriptions.The attackers deploy FTP, Web Deploy, and Kudu console for managing Azure App services, targeting Azure Key Vaults, and exfiltrating data from Storage accounts.Microsoft recommends adopting security hardening and best practices, including conditional access policies, MFA protection, and limiting Azure RBAC permissions.
Microsoft has recently exposed a critical vulnerability in its Self-Service Password Reset (SSPR) feature, which is used by millions of users worldwide. The vulnerability, identified as "Storm-2949" and attributed to a sophisticated threat actor, allows attackers to gain unauthorized access to sensitive data stored in Azure environments.
According to the security report issued by Microsoft, the Storm-2949 threat actor targeted users with privileged roles, such as IT personnel or members of senior leadership, using social engineering tactics. The attacker would initiate a password reset for a targeted employee's account and then trick the victim into approving multi-factor authentication (MFA) prompts. This allowed the hacker to gain control over the user's Microsoft Entra ID credentials.
The Storm-2949 threat actor further leveraged the compromised user accounts to enumerate users, roles, applications, and service principals in the Azure environment. Using custom Python scripts and the Microsoft Graph API, they were able to access sensitive data stored in OneDrive and SharePoint, including VPN configurations and IT operational files. This data was then transmitted to their own infrastructure, posing a significant risk to the victim's Azure environment.
In addition to targeting users with compromised credentials, Storm-2949 also expanded its attack to the victim's Azure infrastructure. The attacker exploited multiple identities that had privileged custom Azure role-based access control (RBAC) roles on multiple Azure subscriptions. This allowed them to "uncover and extract the most sensitive assets within the victim's Azure environment, specifically from production-based Azure subscriptions."
The Storm-2949 threat actor further leveraged compromised user accounts to deploy FTP, Web Deploy, and Kudu console for managing Azure App services. They were able to browse the file system, check environment variables, and execute commands remotely within the app's context. The attacker also targeted Azure Key Vaults, modifying access settings and stealing dozens of secrets, including database credentials and connection strings.
The attackers then pivoted to Azure SQL servers and Storage accounts by changing firewall and network access rules, retrieving storage keys and SAS tokens, and exfiltrating data using custom Python scripts. Finally, they deployed the ScreenConnect remote access tool on compromised systems, attempted to disable Microsoft Defender protections, and wiped forensic evidence.
Microsoft attributes the Storm-2949 attack to a sophisticated threat actor that is targeting Microsoft 365 and Azure production environments. The purpose of these attacks is to exfiltrate as much sensitive data from target organizations' high-value assets as possible.
To defend against such threats, Microsoft recommends following security hardening and best practices. This includes adopting the principle of least privilege, enabling conditional access policies, adding MFA protection for all users, and ensuring phishing-resistant MFA for users with privileged roles, such as administrators.
Additionally, the company advises limiting Azure RBAC permissions, keeping Azure Key Vault logs up to a year, reducing access to Key Vault, restricting public access to Key Vaults, using data protection options in Azure Storage, and monitoring for high-risk Azure management operations.
The report provides extensive guidance on indicators of compromise, mitigation strategies, and best practices for protecting against similar threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-Self-Service-Password-Reset-Vulnerability-Exposed-A-Looming-Threat-to-Azure-Data-Security-ehn.shtml
https://www.bleepingcomputer.com/news/security/microsoft-self-service-password-reset-abused-in-azure-data-theft-attacks/
Published: Tue May 19 15:28:25 2026 by llama3.2 3B Q4_K_M
