Microsoft warns Entra ID abuse

Microsoft’s latest warning is a reminder that cloud break-ins no longer need malware to do damage. In a May 18 research post, the company said a threat actor it tracks as Storm-2949 used Microsoft Entra ID self-service password reset, social engineering and legitimate administrative features to move from a single compromised identity to large-scale theft from Microsoft 365 and Azure environments. The campaign matters because the attacker worked through identity and trust controls that many companies treat as routine plumbing. Microsoft said Storm-2949 abused password-reset flows, delegated permissions and post-compromise admin access to reach mailboxes, storage, Azure App Service, Key Vault, SQL data and virtual machines. ### How did the attacker get in without deploying malware? (microsoft.com) Microsoft said the operation began with stolen credentials and targeted social engineering. In its account of the intrusion chain, the company said the actor initiated self-service password reset activity and then impersonated IT support to persuade victims to approve multifactor authentication prompts tied to the reset flow. (microsoft.com) BleepingComputer reported on May 20 that the attacks targeted Microsoft 365 and Azure production environments and relied on legitimate applications and administration features rather than custom malware. That let the actor blend into normal cloud activity after gaining access. ### What did Storm-2949 do after it captured an account? (microsoft.com) Microsoft said the actor’s goal was “to exfiltrate as much sensitive data” as possible from high-value assets. The company described follow-on activity that included directory discovery, persistence, Microsoft 365 data collection, Azure storage and SQL exfiltration, and compromise of Azure virtual machines. (bleepingcomputer.com) Microsoft also said the actor installed ScreenConnect on virtual machines for post-compromise activity and defense evasion. The company framed the case as an example of how a compromised identity can become a cloud-wide breach when identity systems, delegated permissions and admin tooling are chained together. ### Why does this fit a broader identity-security problem? (microsoft.com) Orchid Security said on May 19 that 67% of nonhuman accounts are created directly inside applications and remain unseen and unmanaged by identity and access management programs. The company’s report also said “invisible identity” outweighed visible identity across enterprise environments by 57% to 43%. (microsoft.com) That research is a vendor-backed report, not a government audit, but it points to the same pressure point Microsoft described: attackers do not need to smash endpoints if they can exploit identities, service accounts and delegated trust relationships already inside the environment. Microsoft’s own guidance on Entra ID shows self-service password reset is a standard feature and that organizations can review reset activity through reporting and audit logs. (orchid.security) ### Why is Congress now part of the story? Sen. Maggie Hassan requested an “urgent” classified briefing from CISA leadership on May 19 after reports that internal agency credentials were exposed in a public GitHub repository, according to Axios. TechCrunch reported the exposed material included plaintext passwords and cloud keys tied to CISA and the Department of Homeland Security. (learn.microsoft.com) The overlap is not that the incidents are the same. It is that both center on credential hygiene and the security of trusted internal systems, at a moment when federal agencies and private companies are both confronting identity-based risk. ### What should companies look at next? Microsoft’s published guidance points defenders to multifactor reset controls, privileged-access review, audit visibility and broader hardening across Microsoft 365 and Azure. (axios.com) The company included indicators of compromise and mitigation steps in its May 18 research post for security teams investigating related activity. (microsoft.com) Microsoft’s Entra documentation also says administrators can use self-service password reset reporting and audit logs to review usage and reset events. Those records, along with app permissions and service-account inventories, are likely to be among the first places incident responders check after the Storm-2949 disclosure. (learn.microsoft.com) (microsoft.com)