{"id":12972,"date":"2026-05-19T10:04:50","date_gmt":"2026-05-19T10:04:50","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/19\/hackers-abuse-microsoft-entra-id-accounts-to-exfiltrate-microsoft-365-and-azure-data\/"},"modified":"2026-05-19T10:04:50","modified_gmt":"2026-05-19T10:04:50","slug":"hackers-abuse-microsoft-entra-id-accounts-to-exfiltrate-microsoft-365-and-azure-data","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/19\/hackers-abuse-microsoft-entra-id-accounts-to-exfiltrate-microsoft-365-and-azure-data\/","title":{"rendered":"Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data"},"content":{"rendered":"<p>    Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p id=\"indicators-of-compromise-iocs\">A threat actor known as Storm-2949 has launched a sophisticated, multi-layered cloud attack campaign targeting Microsoft Entra ID accounts to steal sensitive data from Microsoft 365 and Azure environments. <\/p>\n<p id=\"indicators-of-compromise-iocs\">The campaign was recently uncovered and has raised serious concerns about how modern attackers can abuse legitimate cloud features to carry out large-scale data theft across organizations.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a83e8bf5-76e3-4149-a2a8-24f6a026557a\/Hackers-Abuse-Microsoft-Entra-ID-Accounts-to-Exfiltrate-Microsoft-365-and-Azure-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEZ3RMPUZN&amp;Signature=dV6COtU14BqvVPYxR1bJAt7JiV0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAgaCXVzLWVhc3QtMSJGMEQCIHvx0%2FyJIzaMtRsTlrsDmv5gw%2Bku2gVlhxUqP0CyoZnAAiBIy9vjkngyIUibS%2B5wNKerv%2BIhMa%2F0MBEjGgBFWR%2FTByr8BAjR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMCJNfCof8%2ByzwqfGdKtAEwGQx9S03MTEvaLwGYBP41UHkf%2FxaMruA04xPb5pfJStDPH4sBwG7gmnBDerkfIg%2BGm9yZWrWs%2Bow79%2FFbzN5J861GIfBI%2F0qiNwcCyz%2FulLf59UciwaaEX874DyMBOH9G4WNZq7Qex1hlwCMTgM%2FqJD%2FOTF2mPvZDzISVpoQRbtJZrb3UrM3JDLqzRSDlP1mwpjXtXoutPqCihjKPzFEh7j0NGVROmJm2%2BLNp%2BkKXTU05Sx4ZgewQG4EbhL5iAUzfa76MD%2Bw7tgtA%2FLyPtlHUqDUEpqbu4b5TyiDKL6vCDsfiWb8J9FOVAW%2BGMcrqoJJPSf7Ww8ITmR757PVbCqqhuZHvZ9P0ljmAV6Hap%2FuZya%2FZzsfnol4Z0Y07vXfhgZWMw9USGloeeiyAHFJ267no82b9i8yFTwFd9KnxrIheXlPnt%2BKxeDarRfph9RDrxhfdsiMXlnucneXNdFWDLdMj25Enp9R5dEUh237XWJa840B0B9lxQhhs7pVOFETwP6QvFuM6fU5NU3PpIq6VCnyL1yp1PZjTcZ1U%2F3mmDjFJYMO0op1QXP8F7ZGa4Ulje2yzNPrrgD7e3ru0CXJpACBWStWAub%2B3ZwK1K6lPbK%2FcG00eX%2BPzdFxJYtsbHKoVqHPiRSrmpGxqjqiDsxhd8RGZW3uhzxs5zpT58Qf%2F6GBQHWfHW1a9HohOwZ7ATo8Zq1qFUKx1fuivYVsIP6AJJt3%2FM0ID%2BoRIlmWNtIzT1sLewwjfetWj64wGjKpZBJPPV3vuwZEuPy%2FJeBxRzzAmsYY5jC%2FrLDQBjqZAcNMFgtcY%2FxX76zfXclrhKvwK0eylGnXUWUt%2F4BMXUFUMJStDyigWI1WKTr3uYS3YDCOVZmWxPBNfbhX4pV5cqIutIotQRFF1fxxOfsVNOiLPGA8qKFW2khXE17yBTFrLNonbJ0WIRl64e%2BRXdnkjA%2BThdL1ZmtdAPBhFUkLq0tm6RH6P2BGUpgSDQz7M6HBGO7E83y5xZ95dA%3D%3D&amp;Expires=1779180041\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>What makes this attack stand out is that it did not rely on traditional malware or device-level exploits. Instead, the attackers used <a href=\"https:\/\/cybersecuritynews.com\/threat-actors-continuously-attacking-ms-sql-servers\/\" id=\"145685\" target=\"_blank\" rel=\"noreferrer noopener\">legitimate Microsoft cloud management tools and administrative features<\/a> to silently move through an organization\u2019s entire cloud infrastructure. <\/p>\n<p>Sensitive files, database credentials, application secrets, and stored data all fell into the attackers\u2019 hands.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a83e8bf5-76e3-4149-a2a8-24f6a026557a\/Hackers-Abuse-Microsoft-Entra-ID-Accounts-to-Exfiltrate-Microsoft-365-and-Azure-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEZ3RMPUZN&amp;Signature=dV6COtU14BqvVPYxR1bJAt7JiV0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAgaCXVzLWVhc3QtMSJGMEQCIHvx0%2FyJIzaMtRsTlrsDmv5gw%2Bku2gVlhxUqP0CyoZnAAiBIy9vjkngyIUibS%2B5wNKerv%2BIhMa%2F0MBEjGgBFWR%2FTByr8BAjR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMCJNfCof8%2ByzwqfGdKtAEwGQx9S03MTEvaLwGYBP41UHkf%2FxaMruA04xPb5pfJStDPH4sBwG7gmnBDerkfIg%2BGm9yZWrWs%2Bow79%2FFbzN5J861GIfBI%2F0qiNwcCyz%2FulLf59UciwaaEX874DyMBOH9G4WNZq7Qex1hlwCMTgM%2FqJD%2FOTF2mPvZDzISVpoQRbtJZrb3UrM3JDLqzRSDlP1mwpjXtXoutPqCihjKPzFEh7j0NGVROmJm2%2BLNp%2BkKXTU05Sx4ZgewQG4EbhL5iAUzfa76MD%2Bw7tgtA%2FLyPtlHUqDUEpqbu4b5TyiDKL6vCDsfiWb8J9FOVAW%2BGMcrqoJJPSf7Ww8ITmR757PVbCqqhuZHvZ9P0ljmAV6Hap%2FuZya%2FZzsfnol4Z0Y07vXfhgZWMw9USGloeeiyAHFJ267no82b9i8yFTwFd9KnxrIheXlPnt%2BKxeDarRfph9RDrxhfdsiMXlnucneXNdFWDLdMj25Enp9R5dEUh237XWJa840B0B9lxQhhs7pVOFETwP6QvFuM6fU5NU3PpIq6VCnyL1yp1PZjTcZ1U%2F3mmDjFJYMO0op1QXP8F7ZGa4Ulje2yzNPrrgD7e3ru0CXJpACBWStWAub%2B3ZwK1K6lPbK%2FcG00eX%2BPzdFxJYtsbHKoVqHPiRSrmpGxqjqiDsxhd8RGZW3uhzxs5zpT58Qf%2F6GBQHWfHW1a9HohOwZ7ATo8Zq1qFUKx1fuivYVsIP6AJJt3%2FM0ID%2BoRIlmWNtIzT1sLewwjfetWj64wGjKpZBJPPV3vuwZEuPy%2FJeBxRzzAmsYY5jC%2FrLDQBjqZAcNMFgtcY%2FxX76zfXclrhKvwK0eylGnXUWUt%2F4BMXUFUMJStDyigWI1WKTr3uYS3YDCOVZmWxPBNfbhX4pV5cqIutIotQRFF1fxxOfsVNOiLPGA8qKFW2khXE17yBTFrLNonbJ0WIRl64e%2BRXdnkjA%2BThdL1ZmtdAPBhFUkLq0tm6RH6P2BGUpgSDQz7M6HBGO7E83y5xZ95dA%3D%3D&amp;Expires=1779180041\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/18\/storm-2949-turned-compromised-identity-into-cloud-wide-breach\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft said in a report<\/a> shared with<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/18\/storm-2949-turned-compromised-identity-into-cloud-wide-breach\/\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a0<\/a>Cyber Security News (CSN)\u00a0that Storm-2949 executed a relentless campaign focused on exfiltrating as much sensitive data as possible from a target organization\u2019s high-value assets. <\/p>\n<p>The attack spanned Microsoft 365 applications, file-hosting services, and Azure-hosted production environments, hitting SaaS, PaaS, and IaaS layers across the board.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a83e8bf5-76e3-4149-a2a8-24f6a026557a\/Hackers-Abuse-Microsoft-Entra-ID-Accounts-to-Exfiltrate-Microsoft-365-and-Azure-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEZ3RMPUZN&amp;Signature=dV6COtU14BqvVPYxR1bJAt7JiV0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAgaCXVzLWVhc3QtMSJGMEQCIHvx0%2FyJIzaMtRsTlrsDmv5gw%2Bku2gVlhxUqP0CyoZnAAiBIy9vjkngyIUibS%2B5wNKerv%2BIhMa%2F0MBEjGgBFWR%2FTByr8BAjR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMCJNfCof8%2ByzwqfGdKtAEwGQx9S03MTEvaLwGYBP41UHkf%2FxaMruA04xPb5pfJStDPH4sBwG7gmnBDerkfIg%2BGm9yZWrWs%2Bow79%2FFbzN5J861GIfBI%2F0qiNwcCyz%2FulLf59UciwaaEX874DyMBOH9G4WNZq7Qex1hlwCMTgM%2FqJD%2FOTF2mPvZDzISVpoQRbtJZrb3UrM3JDLqzRSDlP1mwpjXtXoutPqCihjKPzFEh7j0NGVROmJm2%2BLNp%2BkKXTU05Sx4ZgewQG4EbhL5iAUzfa76MD%2Bw7tgtA%2FLyPtlHUqDUEpqbu4b5TyiDKL6vCDsfiWb8J9FOVAW%2BGMcrqoJJPSf7Ww8ITmR757PVbCqqhuZHvZ9P0ljmAV6Hap%2FuZya%2FZzsfnol4Z0Y07vXfhgZWMw9USGloeeiyAHFJ267no82b9i8yFTwFd9KnxrIheXlPnt%2BKxeDarRfph9RDrxhfdsiMXlnucneXNdFWDLdMj25Enp9R5dEUh237XWJa840B0B9lxQhhs7pVOFETwP6QvFuM6fU5NU3PpIq6VCnyL1yp1PZjTcZ1U%2F3mmDjFJYMO0op1QXP8F7ZGa4Ulje2yzNPrrgD7e3ru0CXJpACBWStWAub%2B3ZwK1K6lPbK%2FcG00eX%2BPzdFxJYtsbHKoVqHPiRSrmpGxqjqiDsxhd8RGZW3uhzxs5zpT58Qf%2F6GBQHWfHW1a9HohOwZ7ATo8Zq1qFUKx1fuivYVsIP6AJJt3%2FM0ID%2BoRIlmWNtIzT1sLewwjfetWj64wGjKpZBJPPV3vuwZEuPy%2FJeBxRzzAmsYY5jC%2FrLDQBjqZAcNMFgtcY%2FxX76zfXclrhKvwK0eylGnXUWUt%2F4BMXUFUMJStDyigWI1WKTr3uYS3YDCOVZmWxPBNfbhX4pV5cqIutIotQRFF1fxxOfsVNOiLPGA8qKFW2khXE17yBTFrLNonbJ0WIRl64e%2BRXdnkjA%2BThdL1ZmtdAPBhFUkLq0tm6RH6P2BGUpgSDQz7M6HBGO7E83y5xZ95dA%3D%3D&amp;Expires=1779180041\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The breach began with a targeted identity compromise and quickly escalated into a full takeover of the organization\u2019s cloud infrastructure. <\/p>\n<p>Analysts noted that the attackers deliberately targeted IT staff and senior leadership, showing clear signs of prior reconnaissance and a calculated plan to maximize damage.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a83e8bf5-76e3-4149-a2a8-24f6a026557a\/Hackers-Abuse-Microsoft-Entra-ID-Accounts-to-Exfiltrate-Microsoft-365-and-Azure-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEZ3RMPUZN&amp;Signature=dV6COtU14BqvVPYxR1bJAt7JiV0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAgaCXVzLWVhc3QtMSJGMEQCIHvx0%2FyJIzaMtRsTlrsDmv5gw%2Bku2gVlhxUqP0CyoZnAAiBIy9vjkngyIUibS%2B5wNKerv%2BIhMa%2F0MBEjGgBFWR%2FTByr8BAjR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMCJNfCof8%2ByzwqfGdKtAEwGQx9S03MTEvaLwGYBP41UHkf%2FxaMruA04xPb5pfJStDPH4sBwG7gmnBDerkfIg%2BGm9yZWrWs%2Bow79%2FFbzN5J861GIfBI%2F0qiNwcCyz%2FulLf59UciwaaEX874DyMBOH9G4WNZq7Qex1hlwCMTgM%2FqJD%2FOTF2mPvZDzISVpoQRbtJZrb3UrM3JDLqzRSDlP1mwpjXtXoutPqCihjKPzFEh7j0NGVROmJm2%2BLNp%2BkKXTU05Sx4ZgewQG4EbhL5iAUzfa76MD%2Bw7tgtA%2FLyPtlHUqDUEpqbu4b5TyiDKL6vCDsfiWb8J9FOVAW%2BGMcrqoJJPSf7Ww8ITmR757PVbCqqhuZHvZ9P0ljmAV6Hap%2FuZya%2FZzsfnol4Z0Y07vXfhgZWMw9USGloeeiyAHFJ267no82b9i8yFTwFd9KnxrIheXlPnt%2BKxeDarRfph9RDrxhfdsiMXlnucneXNdFWDLdMj25Enp9R5dEUh237XWJa840B0B9lxQhhs7pVOFETwP6QvFuM6fU5NU3PpIq6VCnyL1yp1PZjTcZ1U%2F3mmDjFJYMO0op1QXP8F7ZGa4Ulje2yzNPrrgD7e3ru0CXJpACBWStWAub%2B3ZwK1K6lPbK%2FcG00eX%2BPzdFxJYtsbHKoVqHPiRSrmpGxqjqiDsxhd8RGZW3uhzxs5zpT58Qf%2F6GBQHWfHW1a9HohOwZ7ATo8Zq1qFUKx1fuivYVsIP6AJJt3%2FM0ID%2BoRIlmWNtIzT1sLewwjfetWj64wGjKpZBJPPV3vuwZEuPy%2FJeBxRzzAmsYY5jC%2FrLDQBjqZAcNMFgtcY%2FxX76zfXclrhKvwK0eylGnXUWUt%2F4BMXUFUMJStDyigWI1WKTr3uYS3YDCOVZmWxPBNfbhX4pV5cqIutIotQRFF1fxxOfsVNOiLPGA8qKFW2khXE17yBTFrLNonbJ0WIRl64e%2BRXdnkjA%2BThdL1ZmtdAPBhFUkLq0tm6RH6P2BGUpgSDQz7M6HBGO7E83y5xZ95dA%3D%3D&amp;Expires=1779180041\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>This incident highlights a growing shift in how threat actors approach cloud environments. Rather than targeting individual devices, attackers are zeroing in on cloud identities and control-plane access, where they can blend with expected administrative behavior and go undetected for extended periods.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a83e8bf5-76e3-4149-a2a8-24f6a026557a\/Hackers-Abuse-Microsoft-Entra-ID-Accounts-to-Exfiltrate-Microsoft-365-and-Azure-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEZ3RMPUZN&amp;Signature=dV6COtU14BqvVPYxR1bJAt7JiV0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAgaCXVzLWVhc3QtMSJGMEQCIHvx0%2FyJIzaMtRsTlrsDmv5gw%2Bku2gVlhxUqP0CyoZnAAiBIy9vjkngyIUibS%2B5wNKerv%2BIhMa%2F0MBEjGgBFWR%2FTByr8BAjR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMCJNfCof8%2ByzwqfGdKtAEwGQx9S03MTEvaLwGYBP41UHkf%2FxaMruA04xPb5pfJStDPH4sBwG7gmnBDerkfIg%2BGm9yZWrWs%2Bow79%2FFbzN5J861GIfBI%2F0qiNwcCyz%2FulLf59UciwaaEX874DyMBOH9G4WNZq7Qex1hlwCMTgM%2FqJD%2FOTF2mPvZDzISVpoQRbtJZrb3UrM3JDLqzRSDlP1mwpjXtXoutPqCihjKPzFEh7j0NGVROmJm2%2BLNp%2BkKXTU05Sx4ZgewQG4EbhL5iAUzfa76MD%2Bw7tgtA%2FLyPtlHUqDUEpqbu4b5TyiDKL6vCDsfiWb8J9FOVAW%2BGMcrqoJJPSf7Ww8ITmR757PVbCqqhuZHvZ9P0ljmAV6Hap%2FuZya%2FZzsfnol4Z0Y07vXfhgZWMw9USGloeeiyAHFJ267no82b9i8yFTwFd9KnxrIheXlPnt%2BKxeDarRfph9RDrxhfdsiMXlnucneXNdFWDLdMj25Enp9R5dEUh237XWJa840B0B9lxQhhs7pVOFETwP6QvFuM6fU5NU3PpIq6VCnyL1yp1PZjTcZ1U%2F3mmDjFJYMO0op1QXP8F7ZGa4Ulje2yzNPrrgD7e3ru0CXJpACBWStWAub%2B3ZwK1K6lPbK%2FcG00eX%2BPzdFxJYtsbHKoVqHPiRSrmpGxqjqiDsxhd8RGZW3uhzxs5zpT58Qf%2F6GBQHWfHW1a9HohOwZ7ATo8Zq1qFUKx1fuivYVsIP6AJJt3%2FM0ID%2BoRIlmWNtIzT1sLewwjfetWj64wGjKpZBJPPV3vuwZEuPy%2FJeBxRzzAmsYY5jC%2FrLDQBjqZAcNMFgtcY%2FxX76zfXclrhKvwK0eylGnXUWUt%2F4BMXUFUMJStDyigWI1WKTr3uYS3YDCOVZmWxPBNfbhX4pV5cqIutIotQRFF1fxxOfsVNOiLPGA8qKFW2khXE17yBTFrLNonbJ0WIRl64e%2BRXdnkjA%2BThdL1ZmtdAPBhFUkLq0tm6RH6P2BGUpgSDQz7M6HBGO7E83y5xZ95dA%3D%3D&amp;Expires=1779180041\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"how-storm-2949-compromised-microsoft-entra-id\"><strong>Hackers Abuse Microsoft Entra ID Accounts<\/strong><\/h2>\n<p>Storm-2949 gained initial access through a social engineering technique that abused Microsoft\u2019s Self-Service Password Reset process. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjhtZ5mOB1BfCBU-mo7Y9C2zXQYo400hnezplhroxVn9qljaQ-to2u7QlKCvhOtIwOrKD8q-uKLXjQ9TtviBeu8tf7waZjoka87wH6JHPX5NnEtRNvCBTWdkrXEeC51pqu2_0ckrEQ5ikiJ_cWeepHHotHrRO8a7pv6aagZU4C8Ig7BdPlVDJ5DbdZ_dzE\/s16000\/Storm-2949%2520attack%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\" alt=\"Storm-2949 attack (Source - Microsoft)\"><figcaption class=\"wp-element-caption\">Storm-2949 attack (Source \u2013 Microsoft)<\/figcaption><\/figure>\n<\/div>\n<p>The attackers impersonated internal IT support staff and tricked targeted users into approving <a href=\"https:\/\/cybersecuritynews.com\/poisonseed-phishing-kit-bypasses-mfa\/\" id=\"120802\" target=\"_blank\" rel=\"noreferrer noopener\">fraudulent multi-factor authentication prompts<\/a>, effectively handing over full account control.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a83e8bf5-76e3-4149-a2a8-24f6a026557a\/Hackers-Abuse-Microsoft-Entra-ID-Accounts-to-Exfiltrate-Microsoft-365-and-Azure-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEZ3RMPUZN&amp;Signature=dV6COtU14BqvVPYxR1bJAt7JiV0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAgaCXVzLWVhc3QtMSJGMEQCIHvx0%2FyJIzaMtRsTlrsDmv5gw%2Bku2gVlhxUqP0CyoZnAAiBIy9vjkngyIUibS%2B5wNKerv%2BIhMa%2F0MBEjGgBFWR%2FTByr8BAjR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMCJNfCof8%2ByzwqfGdKtAEwGQx9S03MTEvaLwGYBP41UHkf%2FxaMruA04xPb5pfJStDPH4sBwG7gmnBDerkfIg%2BGm9yZWrWs%2Bow79%2FFbzN5J861GIfBI%2F0qiNwcCyz%2FulLf59UciwaaEX874DyMBOH9G4WNZq7Qex1hlwCMTgM%2FqJD%2FOTF2mPvZDzISVpoQRbtJZrb3UrM3JDLqzRSDlP1mwpjXtXoutPqCihjKPzFEh7j0NGVROmJm2%2BLNp%2BkKXTU05Sx4ZgewQG4EbhL5iAUzfa76MD%2Bw7tgtA%2FLyPtlHUqDUEpqbu4b5TyiDKL6vCDsfiWb8J9FOVAW%2BGMcrqoJJPSf7Ww8ITmR757PVbCqqhuZHvZ9P0ljmAV6Hap%2FuZya%2FZzsfnol4Z0Y07vXfhgZWMw9USGloeeiyAHFJ267no82b9i8yFTwFd9KnxrIheXlPnt%2BKxeDarRfph9RDrxhfdsiMXlnucneXNdFWDLdMj25Enp9R5dEUh237XWJa840B0B9lxQhhs7pVOFETwP6QvFuM6fU5NU3PpIq6VCnyL1yp1PZjTcZ1U%2F3mmDjFJYMO0op1QXP8F7ZGa4Ulje2yzNPrrgD7e3ru0CXJpACBWStWAub%2B3ZwK1K6lPbK%2FcG00eX%2BPzdFxJYtsbHKoVqHPiRSrmpGxqjqiDsxhd8RGZW3uhzxs5zpT58Qf%2F6GBQHWfHW1a9HohOwZ7ATo8Zq1qFUKx1fuivYVsIP6AJJt3%2FM0ID%2BoRIlmWNtIzT1sLewwjfetWj64wGjKpZBJPPV3vuwZEuPy%2FJeBxRzzAmsYY5jC%2FrLDQBjqZAcNMFgtcY%2FxX76zfXclrhKvwK0eylGnXUWUt%2F4BMXUFUMJStDyigWI1WKTr3uYS3YDCOVZmWxPBNfbhX4pV5cqIutIotQRFF1fxxOfsVNOiLPGA8qKFW2khXE17yBTFrLNonbJ0WIRl64e%2BRXdnkjA%2BThdL1ZmtdAPBhFUkLq0tm6RH6P2BGUpgSDQz7M6HBGO7E83y5xZ95dA%3D%3D&amp;Expires=1779180041\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Once a user approved the fake prompt, the attackers reset the account password, removed all existing authentication methods, and registered their own device as a new authenticator. <\/p>\n<p>This gave them persistent access while locking the real user out entirely. The same technique was repeated across multiple accounts within the same organization.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a83e8bf5-76e3-4149-a2a8-24f6a026557a\/Hackers-Abuse-Microsoft-Entra-ID-Accounts-to-Exfiltrate-Microsoft-365-and-Azure-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEZ3RMPUZN&amp;Signature=dV6COtU14BqvVPYxR1bJAt7JiV0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAgaCXVzLWVhc3QtMSJGMEQCIHvx0%2FyJIzaMtRsTlrsDmv5gw%2Bku2gVlhxUqP0CyoZnAAiBIy9vjkngyIUibS%2B5wNKerv%2BIhMa%2F0MBEjGgBFWR%2FTByr8BAjR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMCJNfCof8%2ByzwqfGdKtAEwGQx9S03MTEvaLwGYBP41UHkf%2FxaMruA04xPb5pfJStDPH4sBwG7gmnBDerkfIg%2BGm9yZWrWs%2Bow79%2FFbzN5J861GIfBI%2F0qiNwcCyz%2FulLf59UciwaaEX874DyMBOH9G4WNZq7Qex1hlwCMTgM%2FqJD%2FOTF2mPvZDzISVpoQRbtJZrb3UrM3JDLqzRSDlP1mwpjXtXoutPqCihjKPzFEh7j0NGVROmJm2%2BLNp%2BkKXTU05Sx4ZgewQG4EbhL5iAUzfa76MD%2Bw7tgtA%2FLyPtlHUqDUEpqbu4b5TyiDKL6vCDsfiWb8J9FOVAW%2BGMcrqoJJPSf7Ww8ITmR757PVbCqqhuZHvZ9P0ljmAV6Hap%2FuZya%2FZzsfnol4Z0Y07vXfhgZWMw9USGloeeiyAHFJ267no82b9i8yFTwFd9KnxrIheXlPnt%2BKxeDarRfph9RDrxhfdsiMXlnucneXNdFWDLdMj25Enp9R5dEUh237XWJa840B0B9lxQhhs7pVOFETwP6QvFuM6fU5NU3PpIq6VCnyL1yp1PZjTcZ1U%2F3mmDjFJYMO0op1QXP8F7ZGa4Ulje2yzNPrrgD7e3ru0CXJpACBWStWAub%2B3ZwK1K6lPbK%2FcG00eX%2BPzdFxJYtsbHKoVqHPiRSrmpGxqjqiDsxhd8RGZW3uhzxs5zpT58Qf%2F6GBQHWfHW1a9HohOwZ7ATo8Zq1qFUKx1fuivYVsIP6AJJt3%2FM0ID%2BoRIlmWNtIzT1sLewwjfetWj64wGjKpZBJPPV3vuwZEuPy%2FJeBxRzzAmsYY5jC%2FrLDQBjqZAcNMFgtcY%2FxX76zfXclrhKvwK0eylGnXUWUt%2F4BMXUFUMJStDyigWI1WKTr3uYS3YDCOVZmWxPBNfbhX4pV5cqIutIotQRFF1fxxOfsVNOiLPGA8qKFW2khXE17yBTFrLNonbJ0WIRl64e%2BRXdnkjA%2BThdL1ZmtdAPBhFUkLq0tm6RH6P2BGUpgSDQz7M6HBGO7E83y5xZ95dA%3D%3D&amp;Expires=1779180041\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>After establishing a foothold, the attackers used a custom Python script and Microsoft Graph API queries to enumerate user accounts and privileged identities within the tenant. <\/p>\n<p>They then turned to Microsoft 365, targeting OneDrive and SharePoint to locate and bulk-download thousands of sensitive files, particularly those related to VPN configurations and remote access procedures.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a83e8bf5-76e3-4149-a2a8-24f6a026557a\/Hackers-Abuse-Microsoft-Entra-ID-Accounts-to-Exfiltrate-Microsoft-365-and-Azure-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEZ3RMPUZN&amp;Signature=dV6COtU14BqvVPYxR1bJAt7JiV0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAgaCXVzLWVhc3QtMSJGMEQCIHvx0%2FyJIzaMtRsTlrsDmv5gw%2Bku2gVlhxUqP0CyoZnAAiBIy9vjkngyIUibS%2B5wNKerv%2BIhMa%2F0MBEjGgBFWR%2FTByr8BAjR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMCJNfCof8%2ByzwqfGdKtAEwGQx9S03MTEvaLwGYBP41UHkf%2FxaMruA04xPb5pfJStDPH4sBwG7gmnBDerkfIg%2BGm9yZWrWs%2Bow79%2FFbzN5J861GIfBI%2F0qiNwcCyz%2FulLf59UciwaaEX874DyMBOH9G4WNZq7Qex1hlwCMTgM%2FqJD%2FOTF2mPvZDzISVpoQRbtJZrb3UrM3JDLqzRSDlP1mwpjXtXoutPqCihjKPzFEh7j0NGVROmJm2%2BLNp%2BkKXTU05Sx4ZgewQG4EbhL5iAUzfa76MD%2Bw7tgtA%2FLyPtlHUqDUEpqbu4b5TyiDKL6vCDsfiWb8J9FOVAW%2BGMcrqoJJPSf7Ww8ITmR757PVbCqqhuZHvZ9P0ljmAV6Hap%2FuZya%2FZzsfnol4Z0Y07vXfhgZWMw9USGloeeiyAHFJ267no82b9i8yFTwFd9KnxrIheXlPnt%2BKxeDarRfph9RDrxhfdsiMXlnucneXNdFWDLdMj25Enp9R5dEUh237XWJa840B0B9lxQhhs7pVOFETwP6QvFuM6fU5NU3PpIq6VCnyL1yp1PZjTcZ1U%2F3mmDjFJYMO0op1QXP8F7ZGa4Ulje2yzNPrrgD7e3ru0CXJpACBWStWAub%2B3ZwK1K6lPbK%2FcG00eX%2BPzdFxJYtsbHKoVqHPiRSrmpGxqjqiDsxhd8RGZW3uhzxs5zpT58Qf%2F6GBQHWfHW1a9HohOwZ7ATo8Zq1qFUKx1fuivYVsIP6AJJt3%2FM0ID%2BoRIlmWNtIzT1sLewwjfetWj64wGjKpZBJPPV3vuwZEuPy%2FJeBxRzzAmsYY5jC%2FrLDQBjqZAcNMFgtcY%2FxX76zfXclrhKvwK0eylGnXUWUt%2F4BMXUFUMJStDyigWI1WKTr3uYS3YDCOVZmWxPBNfbhX4pV5cqIutIotQRFF1fxxOfsVNOiLPGA8qKFW2khXE17yBTFrLNonbJ0WIRl64e%2BRXdnkjA%2BThdL1ZmtdAPBhFUkLq0tm6RH6P2BGUpgSDQz7M6HBGO7E83y5xZ95dA%3D%3D&amp;Expires=1779180041\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"azure-wide-data-breach-and-lateral-movement\"><strong>Azure-Wide Data Breach and Lateral Movement<\/strong><\/h2>\n<p>With compromised accounts holding privileged Azure role-based access control permissions, Storm-2949 moved aggressively into the Azure environment. <\/p>\n<p>They targeted Azure App Services, Key Vaults, Storage accounts, and SQL databases, using legitimate management-plane operations to extract secrets and reconfigure access controls.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a83e8bf5-76e3-4149-a2a8-24f6a026557a\/Hackers-Abuse-Microsoft-Entra-ID-Accounts-to-Exfiltrate-Microsoft-365-and-Azure-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEZ3RMPUZN&amp;Signature=dV6COtU14BqvVPYxR1bJAt7JiV0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAgaCXVzLWVhc3QtMSJGMEQCIHvx0%2FyJIzaMtRsTlrsDmv5gw%2Bku2gVlhxUqP0CyoZnAAiBIy9vjkngyIUibS%2B5wNKerv%2BIhMa%2F0MBEjGgBFWR%2FTByr8BAjR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMCJNfCof8%2ByzwqfGdKtAEwGQx9S03MTEvaLwGYBP41UHkf%2FxaMruA04xPb5pfJStDPH4sBwG7gmnBDerkfIg%2BGm9yZWrWs%2Bow79%2FFbzN5J861GIfBI%2F0qiNwcCyz%2FulLf59UciwaaEX874DyMBOH9G4WNZq7Qex1hlwCMTgM%2FqJD%2FOTF2mPvZDzISVpoQRbtJZrb3UrM3JDLqzRSDlP1mwpjXtXoutPqCihjKPzFEh7j0NGVROmJm2%2BLNp%2BkKXTU05Sx4ZgewQG4EbhL5iAUzfa76MD%2Bw7tgtA%2FLyPtlHUqDUEpqbu4b5TyiDKL6vCDsfiWb8J9FOVAW%2BGMcrqoJJPSf7Ww8ITmR757PVbCqqhuZHvZ9P0ljmAV6Hap%2FuZya%2FZzsfnol4Z0Y07vXfhgZWMw9USGloeeiyAHFJ267no82b9i8yFTwFd9KnxrIheXlPnt%2BKxeDarRfph9RDrxhfdsiMXlnucneXNdFWDLdMj25Enp9R5dEUh237XWJa840B0B9lxQhhs7pVOFETwP6QvFuM6fU5NU3PpIq6VCnyL1yp1PZjTcZ1U%2F3mmDjFJYMO0op1QXP8F7ZGa4Ulje2yzNPrrgD7e3ru0CXJpACBWStWAub%2B3ZwK1K6lPbK%2FcG00eX%2BPzdFxJYtsbHKoVqHPiRSrmpGxqjqiDsxhd8RGZW3uhzxs5zpT58Qf%2F6GBQHWfHW1a9HohOwZ7ATo8Zq1qFUKx1fuivYVsIP6AJJt3%2FM0ID%2BoRIlmWNtIzT1sLewwjfetWj64wGjKpZBJPPV3vuwZEuPy%2FJeBxRzzAmsYY5jC%2FrLDQBjqZAcNMFgtcY%2FxX76zfXclrhKvwK0eylGnXUWUt%2F4BMXUFUMJStDyigWI1WKTr3uYS3YDCOVZmWxPBNfbhX4pV5cqIutIotQRFF1fxxOfsVNOiLPGA8qKFW2khXE17yBTFrLNonbJ0WIRl64e%2BRXdnkjA%2BThdL1ZmtdAPBhFUkLq0tm6RH6P2BGUpgSDQz7M6HBGO7E83y5xZ95dA%3D%3D&amp;Expires=1779180041\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>By accessing a Key Vault that contained database connection strings and identity credentials, the attackers dramatically expanded the breach\u2019s blast radius. <\/p>\n<p>Within just four minutes, they read dozens of secrets and used those credentials to authenticate into the primary production web application they had been pursuing all along.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a83e8bf5-76e3-4149-a2a8-24f6a026557a\/Hackers-Abuse-Microsoft-Entra-ID-Accounts-to-Exfiltrate-Microsoft-365-and-Azure-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEZ3RMPUZN&amp;Signature=dV6COtU14BqvVPYxR1bJAt7JiV0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAgaCXVzLWVhc3QtMSJGMEQCIHvx0%2FyJIzaMtRsTlrsDmv5gw%2Bku2gVlhxUqP0CyoZnAAiBIy9vjkngyIUibS%2B5wNKerv%2BIhMa%2F0MBEjGgBFWR%2FTByr8BAjR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMCJNfCof8%2ByzwqfGdKtAEwGQx9S03MTEvaLwGYBP41UHkf%2FxaMruA04xPb5pfJStDPH4sBwG7gmnBDerkfIg%2BGm9yZWrWs%2Bow79%2FFbzN5J861GIfBI%2F0qiNwcCyz%2FulLf59UciwaaEX874DyMBOH9G4WNZq7Qex1hlwCMTgM%2FqJD%2FOTF2mPvZDzISVpoQRbtJZrb3UrM3JDLqzRSDlP1mwpjXtXoutPqCihjKPzFEh7j0NGVROmJm2%2BLNp%2BkKXTU05Sx4ZgewQG4EbhL5iAUzfa76MD%2Bw7tgtA%2FLyPtlHUqDUEpqbu4b5TyiDKL6vCDsfiWb8J9FOVAW%2BGMcrqoJJPSf7Ww8ITmR757PVbCqqhuZHvZ9P0ljmAV6Hap%2FuZya%2FZzsfnol4Z0Y07vXfhgZWMw9USGloeeiyAHFJ267no82b9i8yFTwFd9KnxrIheXlPnt%2BKxeDarRfph9RDrxhfdsiMXlnucneXNdFWDLdMj25Enp9R5dEUh237XWJa840B0B9lxQhhs7pVOFETwP6QvFuM6fU5NU3PpIq6VCnyL1yp1PZjTcZ1U%2F3mmDjFJYMO0op1QXP8F7ZGa4Ulje2yzNPrrgD7e3ru0CXJpACBWStWAub%2B3ZwK1K6lPbK%2FcG00eX%2BPzdFxJYtsbHKoVqHPiRSrmpGxqjqiDsxhd8RGZW3uhzxs5zpT58Qf%2F6GBQHWfHW1a9HohOwZ7ATo8Zq1qFUKx1fuivYVsIP6AJJt3%2FM0ID%2BoRIlmWNtIzT1sLewwjfetWj64wGjKpZBJPPV3vuwZEuPy%2FJeBxRzzAmsYY5jC%2FrLDQBjqZAcNMFgtcY%2FxX76zfXclrhKvwK0eylGnXUWUt%2F4BMXUFUMJStDyigWI1WKTr3uYS3YDCOVZmWxPBNfbhX4pV5cqIutIotQRFF1fxxOfsVNOiLPGA8qKFW2khXE17yBTFrLNonbJ0WIRl64e%2BRXdnkjA%2BThdL1ZmtdAPBhFUkLq0tm6RH6P2BGUpgSDQz7M6HBGO7E83y5xZ95dA%3D%3D&amp;Expires=1779180041\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>To pull data from Azure Storage, the attackers manipulated network access settings and abused storage account key listing operations to obtain Shared Access Signature tokens. <\/p>\n<p>They then used a <a href=\"https:\/\/cybersecuritynews.com\/malicious-pypi-package-with-fully-automated-carding-script\/\" id=\"98386\" target=\"_blank\" rel=\"noreferrer noopener\">custom Python script to systematically download large volumes of data<\/a> over several days, while SQL server firewall rules were altered to allow access and then deleted to cover their tracks.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a83e8bf5-76e3-4149-a2a8-24f6a026557a\/Hackers-Abuse-Microsoft-Entra-ID-Accounts-to-Exfiltrate-Microsoft-365-and-Azure-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEZ3RMPUZN&amp;Signature=dV6COtU14BqvVPYxR1bJAt7JiV0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAgaCXVzLWVhc3QtMSJGMEQCIHvx0%2FyJIzaMtRsTlrsDmv5gw%2Bku2gVlhxUqP0CyoZnAAiBIy9vjkngyIUibS%2B5wNKerv%2BIhMa%2F0MBEjGgBFWR%2FTByr8BAjR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMCJNfCof8%2ByzwqfGdKtAEwGQx9S03MTEvaLwGYBP41UHkf%2FxaMruA04xPb5pfJStDPH4sBwG7gmnBDerkfIg%2BGm9yZWrWs%2Bow79%2FFbzN5J861GIfBI%2F0qiNwcCyz%2FulLf59UciwaaEX874DyMBOH9G4WNZq7Qex1hlwCMTgM%2FqJD%2FOTF2mPvZDzISVpoQRbtJZrb3UrM3JDLqzRSDlP1mwpjXtXoutPqCihjKPzFEh7j0NGVROmJm2%2BLNp%2BkKXTU05Sx4ZgewQG4EbhL5iAUzfa76MD%2Bw7tgtA%2FLyPtlHUqDUEpqbu4b5TyiDKL6vCDsfiWb8J9FOVAW%2BGMcrqoJJPSf7Ww8ITmR757PVbCqqhuZHvZ9P0ljmAV6Hap%2FuZya%2FZzsfnol4Z0Y07vXfhgZWMw9USGloeeiyAHFJ267no82b9i8yFTwFd9KnxrIheXlPnt%2BKxeDarRfph9RDrxhfdsiMXlnucneXNdFWDLdMj25Enp9R5dEUh237XWJa840B0B9lxQhhs7pVOFETwP6QvFuM6fU5NU3PpIq6VCnyL1yp1PZjTcZ1U%2F3mmDjFJYMO0op1QXP8F7ZGa4Ulje2yzNPrrgD7e3ru0CXJpACBWStWAub%2B3ZwK1K6lPbK%2FcG00eX%2BPzdFxJYtsbHKoVqHPiRSrmpGxqjqiDsxhd8RGZW3uhzxs5zpT58Qf%2F6GBQHWfHW1a9HohOwZ7ATo8Zq1qFUKx1fuivYVsIP6AJJt3%2FM0ID%2BoRIlmWNtIzT1sLewwjfetWj64wGjKpZBJPPV3vuwZEuPy%2FJeBxRzzAmsYY5jC%2FrLDQBjqZAcNMFgtcY%2FxX76zfXclrhKvwK0eylGnXUWUt%2F4BMXUFUMJStDyigWI1WKTr3uYS3YDCOVZmWxPBNfbhX4pV5cqIutIotQRFF1fxxOfsVNOiLPGA8qKFW2khXE17yBTFrLNonbJ0WIRl64e%2BRXdnkjA%2BThdL1ZmtdAPBhFUkLq0tm6RH6P2BGUpgSDQz7M6HBGO7E83y5xZ95dA%3D%3D&amp;Expires=1779180041\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The attackers also compromised Azure Virtual Machines using the VMAccess extension to create backdoor admin accounts, and deployed ScreenConnect after attempting to disable Microsoft Defender Antivirus. <\/p>\n<p>Before exiting, they cleared Windows event logs and removed local artifacts to complicate any forensic investigation.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a83e8bf5-76e3-4149-a2a8-24f6a026557a\/Hackers-Abuse-Microsoft-Entra-ID-Accounts-to-Exfiltrate-Microsoft-365-and-Azure-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEZ3RMPUZN&amp;Signature=dV6COtU14BqvVPYxR1bJAt7JiV0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAgaCXVzLWVhc3QtMSJGMEQCIHvx0%2FyJIzaMtRsTlrsDmv5gw%2Bku2gVlhxUqP0CyoZnAAiBIy9vjkngyIUibS%2B5wNKerv%2BIhMa%2F0MBEjGgBFWR%2FTByr8BAjR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMCJNfCof8%2ByzwqfGdKtAEwGQx9S03MTEvaLwGYBP41UHkf%2FxaMruA04xPb5pfJStDPH4sBwG7gmnBDerkfIg%2BGm9yZWrWs%2Bow79%2FFbzN5J861GIfBI%2F0qiNwcCyz%2FulLf59UciwaaEX874DyMBOH9G4WNZq7Qex1hlwCMTgM%2FqJD%2FOTF2mPvZDzISVpoQRbtJZrb3UrM3JDLqzRSDlP1mwpjXtXoutPqCihjKPzFEh7j0NGVROmJm2%2BLNp%2BkKXTU05Sx4ZgewQG4EbhL5iAUzfa76MD%2Bw7tgtA%2FLyPtlHUqDUEpqbu4b5TyiDKL6vCDsfiWb8J9FOVAW%2BGMcrqoJJPSf7Ww8ITmR757PVbCqqhuZHvZ9P0ljmAV6Hap%2FuZya%2FZzsfnol4Z0Y07vXfhgZWMw9USGloeeiyAHFJ267no82b9i8yFTwFd9KnxrIheXlPnt%2BKxeDarRfph9RDrxhfdsiMXlnucneXNdFWDLdMj25Enp9R5dEUh237XWJa840B0B9lxQhhs7pVOFETwP6QvFuM6fU5NU3PpIq6VCnyL1yp1PZjTcZ1U%2F3mmDjFJYMO0op1QXP8F7ZGa4Ulje2yzNPrrgD7e3ru0CXJpACBWStWAub%2B3ZwK1K6lPbK%2FcG00eX%2BPzdFxJYtsbHKoVqHPiRSrmpGxqjqiDsxhd8RGZW3uhzxs5zpT58Qf%2F6GBQHWfHW1a9HohOwZ7ATo8Zq1qFUKx1fuivYVsIP6AJJt3%2FM0ID%2BoRIlmWNtIzT1sLewwjfetWj64wGjKpZBJPPV3vuwZEuPy%2FJeBxRzzAmsYY5jC%2FrLDQBjqZAcNMFgtcY%2FxX76zfXclrhKvwK0eylGnXUWUt%2F4BMXUFUMJStDyigWI1WKTr3uYS3YDCOVZmWxPBNfbhX4pV5cqIutIotQRFF1fxxOfsVNOiLPGA8qKFW2khXE17yBTFrLNonbJ0WIRl64e%2BRXdnkjA%2BThdL1ZmtdAPBhFUkLq0tm6RH6P2BGUpgSDQz7M6HBGO7E83y5xZ95dA%3D%3D&amp;Expires=1779180041\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Organizations facing similar threats are encouraged to enforce phishing-resistant multi-factor authentication for all privileged users, apply least privilege across Azure role assignments, and restrict public network access to Key Vaults and Storage accounts. <\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/security-teams-shrink-as-automation-rises\/\" id=\"100650\" target=\"_blank\" rel=\"noreferrer noopener\">Security teams should monitor suspicious management-plane activity<\/a> and audit the use of Azure VM features such as Run Command and VMAccess to stop this type of lateral movement.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/a83e8bf5-76e3-4149-a2a8-24f6a026557a\/Hackers-Abuse-Microsoft-Entra-ID-Accounts-to-Exfiltrate-Microsoft-365-and-Azure-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEZ3RMPUZN&amp;Signature=dV6COtU14BqvVPYxR1bJAt7JiV0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEAgaCXVzLWVhc3QtMSJGMEQCIHvx0%2FyJIzaMtRsTlrsDmv5gw%2Bku2gVlhxUqP0CyoZnAAiBIy9vjkngyIUibS%2B5wNKerv%2BIhMa%2F0MBEjGgBFWR%2FTByr8BAjR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMCJNfCof8%2ByzwqfGdKtAEwGQx9S03MTEvaLwGYBP41UHkf%2FxaMruA04xPb5pfJStDPH4sBwG7gmnBDerkfIg%2BGm9yZWrWs%2Bow79%2FFbzN5J861GIfBI%2F0qiNwcCyz%2FulLf59UciwaaEX874DyMBOH9G4WNZq7Qex1hlwCMTgM%2FqJD%2FOTF2mPvZDzISVpoQRbtJZrb3UrM3JDLqzRSDlP1mwpjXtXoutPqCihjKPzFEh7j0NGVROmJm2%2BLNp%2BkKXTU05Sx4ZgewQG4EbhL5iAUzfa76MD%2Bw7tgtA%2FLyPtlHUqDUEpqbu4b5TyiDKL6vCDsfiWb8J9FOVAW%2BGMcrqoJJPSf7Ww8ITmR757PVbCqqhuZHvZ9P0ljmAV6Hap%2FuZya%2FZzsfnol4Z0Y07vXfhgZWMw9USGloeeiyAHFJ267no82b9i8yFTwFd9KnxrIheXlPnt%2BKxeDarRfph9RDrxhfdsiMXlnucneXNdFWDLdMj25Enp9R5dEUh237XWJa840B0B9lxQhhs7pVOFETwP6QvFuM6fU5NU3PpIq6VCnyL1yp1PZjTcZ1U%2F3mmDjFJYMO0op1QXP8F7ZGa4Ulje2yzNPrrgD7e3ru0CXJpACBWStWAub%2B3ZwK1K6lPbK%2FcG00eX%2BPzdFxJYtsbHKoVqHPiRSrmpGxqjqiDsxhd8RGZW3uhzxs5zpT58Qf%2F6GBQHWfHW1a9HohOwZ7ATo8Zq1qFUKx1fuivYVsIP6AJJt3%2FM0ID%2BoRIlmWNtIzT1sLewwjfetWj64wGjKpZBJPPV3vuwZEuPy%2FJeBxRzzAmsYY5jC%2FrLDQBjqZAcNMFgtcY%2FxX76zfXclrhKvwK0eylGnXUWUt%2F4BMXUFUMJStDyigWI1WKTr3uYS3YDCOVZmWxPBNfbhX4pV5cqIutIotQRFF1fxxOfsVNOiLPGA8qKFW2khXE17yBTFrLNonbJ0WIRl64e%2BRXdnkjA%2BThdL1ZmtdAPBhFUkLq0tm6RH6P2BGUpgSDQz7M6HBGO7E83y5xZ95dA%3D%3D&amp;Expires=1779180041\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p id=\"indicators-of-compromise-iocs\"><strong>Indicators of Compromise (IoCs):-<\/strong><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>IP Address<\/td>\n<td>176.123.4[.]44<\/td>\n<td>Attacker egress IP address used during the campaign<\/td>\n<\/tr>\n<tr>\n<td>IP Address<\/td>\n<td>91.208.197[.]87<\/td>\n<td>Attacker egress IP address used during the campaign<\/td>\n<\/tr>\n<tr>\n<td>IP Address<\/td>\n<td>185.241.208[.]243<\/td>\n<td>ScreenConnect instance infrastructure controlled by the attacker<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 90%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-entra-id-accounts\/\">Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-entra-id-accounts\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data A threat actor known as Storm-2949 has launched a sophisticated, multi-layered cloud attack campaign targeting Microsoft Entra ID accounts to steal sensitive data from Microsoft 365 and Azure environments. The campaign was recently uncovered and has raised serious concerns about how modern [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-12972","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12972"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12972"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12972\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12972"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}