Storm-2949 is a sophisticated threat actor that exploited Microsoft’s Self-Service Password Reset process to compromise high-value accounts, primarily targeting IT personnel and senior leadership. They leveraged Azure tools and APIs to conduct reconnaissance, exfiltrate sensitive data from Microsoft 365 applications, and manipulate Azure resources, including Key Vaults and SQL databases. The actor employed social engineering tactics to bypass MFA and utilized custom Python scripts for directory discovery and data exfiltration. Their operations included lateral movement across cloud and endpoint environments while mimicking legitimate administrative behavior.
References
Actor metadata imported from Malpedia (Fraunhofer FKIE).