Storm-2949 abuses Entra ID

1/ Microsoft said on May 18 that a threat actor it tracks as Storm-2949 used a compromised cloud identity to steal data across Microsoft 365 and Azure, relying on legitimate management features rather than malware. (microsoft.com) 2/ The key point is the attack path. Microsoft said Storm-2949 moved from identity compromise to “control-plane and data-plane access,” then used that access to reach Key Vaults, storage accounts and virtual machines. (microsoft.com) 3/ That matters because the actor’s activity could resemble normal administration. Microsoft said the campaign blended into “expected administrative behavior” while moving laterally across cloud and endpoint environments. (microsoft.com) 4/ In Microsoft’s account, the breach started with compromised credentials and expanded into Microsoft 365 apps, file-hosting services and Azure-hosted production environments tied to the victim’s application stack. (microsoft.com) 5/ Microsoft said the operation spanned software-as-a-service, platform-as-a-service and infrastructure-as-a-service layers. In plain terms, this was not a single mailbox or one misconfigured workload; it crossed identity, apps and infrastructure. That second sentence is an inference from Microsoft’s description. (microsoft.com) 6/ The practical lesson for defenders is that “valid login + valid tool” can still be an intrusion. If an attacker has the right identity and uses approved cloud controls, signature-based or malware-focused monitoring may miss the larger pattern. This is an inference based on Microsoft’s description of the activity and its emphasis on behavior-based detection. (microsoft.com) 7/ Microsoft’s own guidance points first to identity telemetry. Microsoft Entra activity logs include audit logs for changes to users, groups, apps and licenses, alongside sign-in logs that show who accessed what resource, with which client and from where. (learn.microsoft.com) 8/ That means incident responders should review more than failed logins. Microsoft documents separate visibility for audit logs, sign-in logs, provisioning logs and self-service password management activity, including password reset events and registration activity. (learn.microsoft.com) 9/ If you are checking exposure, start with three questions: which identities changed, which sign-ins looked unusual, and which management actions followed. Microsoft says Entra logs can be exported to Azure Monitor, Microsoft Sentinel, Event Hubs, storage accounts and Microsoft Graph for deeper analysis. (learn.microsoft.com) 10/ Microsoft also said behavior-based detections across endpoints, cloud environments and identities can help correlate this kind of activity. That is important because any one action in isolation may look routine; the sequence is what reveals the breach. The second sentence is an inference from Microsoft’s write-up. (microsoft.com) 11/ For Microsoft 365 and Azure customers, the immediate response is straightforward: rotate exposed credentials, review Entra sign-in and audit logs, check self-service password reset activity, and inspect logs tied to Azure management actions and access to sensitive services such as Key Vault and storage. Microsoft’s post says mitigation and protection guidance is included in its incident write-up. (microsoft.com) 12/ The broader takeaway from the Storm-2949 case is not that Microsoft tools are the threat. It is that compromised identity inside a cloud tenant can give an attacker the same reach as an administrator, and Microsoft says defenders need cross-surface, behavior-based monitoring to catch it. (microsoft.com)