Storm-2949 Exploits Microsoft 365 Password Reset to Drain Cloud Data

Storm-2949 Exploits Microsoft 365 Password Reset to Drain Cloud Data

Microsoft has published details on a sophisticated multi-stage campaign carried out by a threat actor tracked as Storm-2949, targeting organizations running Microsoft 365 and Azure environments. What makes this cloud credential attack on Microsoft 365 particularly striking is the entry point: a feature most administrators consider routine and low-risk, specifically self-service password reset (SSPR). Once inside, attackers moved quietly through OneDrive, SharePoint, and SQL databases, extracting high-value data before detection.

This campaign is a pointed reminder that cloud platforms are only as secure as the configurations and assumptions built around them.

How Storm-2949 Weaponized Self-Service Password Reset

Self-service password reset is a widely deployed convenience feature. It allows employees to regain account access without contacting IT, reducing helpdesk burden and downtime. Most security teams treat it as benign. Storm-2949 treated it as a door.

By abusing SSPR functionality, the threat actor was able to compromise user identities without needing to crack passwords through brute force or deploy malware. The attack took advantage of weaknesses in how SSPR is configured or verified, allowing the group to assume control of legitimate accounts. Once credentials were reset and access was established, the attackers blended into normal user activity, making behavioral detection significantly harder.

This approach is notable because it sidesteps many of the signals that endpoint security tools are designed to catch. There is no malicious executable, no suspicious download, no obvious intrusion signature. The attacker simply logs in as a valid user.

What Data Was Exposed — and Why Cloud Storage Is a High-Value Target

After gaining initial access, Storm-2949 moved through the Microsoft 365 and Azure ecosystem with a clear objective: extract as much high-value data as possible. OneDrive and SharePoint, used across most enterprise environments for document storage and collaboration, were primary targets. SQL databases connected to Azure infrastructure were also accessed and exfiltrated.

The scale of what modern organizations store in these services makes them an obvious focus for sophisticated threat actors. Business contracts, financial records, customer data, internal communications, and proprietary research all frequently live in SharePoint or OneDrive. SQL databases connected to Azure often contain structured operational data that can be monetized or used for follow-on attacks.

This pattern closely mirrors what has been observed in other large-scale credential-harvesting incidents. The ShinyHunters vishing attack that exposed 40 million Charter Communications records followed a similar logic: gain legitimate-looking access, then extract as much data as possible before defenders respond. Cloud storage consolidates enormous value in one place, which is precisely what makes it a target.

Why Credential-Based Attacks Bypass Traditional Defenses

Traditional security architecture was built around the idea that attackers break in. They exploit software vulnerabilities, deploy malware, or intercept network traffic. Perimeter defenses, antivirus tools, and intrusion detection systems were all designed to catch those behaviors.

Credential-based attacks flip that assumption. The attacker does not break in; they walk in. When Storm-2949 uses SSPR to assume control of a legitimate account, every subsequent action looks like that user working normally. File access logs show a recognized identity. Network traffic originates from expected services. Alert thresholds tuned to catch anomalous behavior may never trigger.

This is the same category of risk that makes browser and platform vulnerabilities so dangerous. Researchers at Pwn2Own Berlin 2026 demonstrated how Windows 11 and Edge zero-days could be chained together to gain deep system access, illustrating that even trusted, mainstream platforms carry exploitable weaknesses. Storm-2949's campaign shows that cloud identity infrastructure carries the same category of risk.

Once attackers establish a foothold through identity rather than exploits, containment becomes significantly more complex.

Practical Mitigations: MFA, Audit Logs, and Smarter Cloud Configuration

The Storm-2949 campaign points toward concrete steps organizations and individuals can take to reduce exposure.

Audit your SSPR configuration. If self-service password reset is enabled, verify what verification methods are required. Phone-based recovery options can be intercepted or socially engineered. Requiring multiple factors, or restricting SSPR to managed devices only, significantly raises the bar for attackers.

Enforce phishing-resistant MFA across all accounts. Standard SMS-based multi-factor authentication offers real protection but remains vulnerable to SIM-swapping and certain social engineering tactics. Hardware security keys or app-based authenticators using FIDO2 standards are substantially harder to abuse.

Review conditional access policies. Microsoft 365 and Azure both offer conditional access controls that can restrict logins based on device compliance, location, and risk signals. Many organizations have these features available but do not use them.

Monitor for anomalous data access patterns. Even when an attacker uses legitimate credentials, accessing hundreds of SharePoint documents or downloading large volumes of OneDrive files in a short window should trigger alerts. Configuring Microsoft Defender for Cloud Apps or equivalent monitoring tools to flag bulk data access is a practical detection layer.

Consider network-level protections for cloud access. Using a VPN to enforce that cloud service access happens only through known, monitored network paths can help limit the attack surface for credential misuse from unfamiliar locations.

What This Means For You

Whether you manage a large enterprise environment or use Microsoft 365 personally for work, the Storm-2949 campaign illustrates that cloud security is not a default-on feature. Platforms like Microsoft 365 and Azure provide powerful security tools, but those tools require deliberate configuration and ongoing monitoring to be effective.

If your organization relies on cloud storage for sensitive data, now is the time to audit your identity and access controls. Specifically, review who has SSPR enabled, how it is verified, whether MFA is enforced consistently, and whether data access monitoring is active.

Assuming the platform handles security automatically is exactly the posture this campaign exploited. A few hours spent reviewing access controls is a far smaller cost than discovering your OneDrive or SharePoint data has been silently exfiltrated over days or weeks.