Storm-2949 shows how one stolen identity can become a cloud-wide breach
Anna Webb
Global Director, Security and Identity Support Services
Published: 26 May 2026
Microsoft’s account of Storm-2949 (see below) is a useful reminder of how serious a breach can become once the right account is compromised. There was no need for exotic malware or a complex technical exploit. Access to a trusted identity, and the systems that sit behind it, was enough.
According to Microsoft, the attacker used the password reset process and persuaded users to approve multifactor authentication (MFA) requests. That allowed it to change account settings, remove existing sign-in methods and add its own authentication device, giving it a way to stay inside the account.
The reported targets included IT staff and senior leaders, which is what makes the incident so serious. When an attacker gains control of an account with broad access or influence, the damage can spread quickly.
What starts with one user can quickly become access to company data, cloud services and the systems the business depends on.
It’s yet another example of where identity threat protection becomes critical, particularly when the priority is spotting and containing suspicious activity quickly.
From MFA prompt to tenant-wide access
After getting into the account, the attacker used built-in Microsoft tools to find out who had access to what, which apps were connected and where higher levels of control sat.
It then moved into Microsoft 365 services such as OneDrive and SharePoint, downloading large volumes of files. From there, the attack spread further into Azure, reaching systems used to run apps, store data, hold sensitive keys and support core business services.
What makes this especially serious is that the attacker was not forcing its way in through broken software. It was using trusted features that many organisations rely on every day to manage their cloud systems.
Once the right account was under its control, the same access could be used to view data, change settings, reach sensitive systems and stay active inside the environment. In practical terms, one compromised account created a path into much wider parts of the business.
Key risks at a glance
Kocho SOC advisory
Kocho’s SecOps team has been working with clients to review where this kind of attack could take hold. Security Operations Architect, Jaco le Roux, has highlighted a number of steps that can help reduce the risk, particularly across Entra, XDR and Azure.
Entra
- Review allowed MFA methods and authentication strengths
- Remove weak or unsupported methods from the SSPR admin
- Consider phishing-resistant MFA for privileged and high-risk users
- Tighten Conditional Access for security information registration, consider including trusted network controls
- Review risk-based Conditional Access policies for unmanaged device scenarios
- Do not allow unmanaged devices or browsers to access company resources
XDR
- Set Defender XDR EDR to block mode
- Enable Defender coverage for Key Vault, Storage and Servers where possible
Azure
- Apply network restrictions or private endpoints for VMs, Key Vaults and storage accounts where possible
- Configure immutable storage to protect against accidental or malicious deletion
- Enable purge protection for all Key Vaults
- Make sure audit logs are collected across all Azure resources
Storm-2949 is a clear example of how quickly a single identity compromise can escalate into a much broader business risk.
Where recovery controls, device trust and cloud access policies are not tightly managed, attackers have far more freedom to move than they should.
Jaco le Roux, Security Operations Architect, Kocho
Preparation and joined-up security improve the odds
What stands out is how little was needed to widen the breach.
A trusted account was enough to give the attacker a foothold, and from there the attack moved into data, services and infrastructure that many organisations still treat as separate layers of risk.
That makes early detection difficult.
In the opening stages, much of the activity can look routine, particularly if sign-in events, password resets, MFA requests and device access are being monitored in isolation.
The organisations that are better prepared are usually the ones that have tightened those controls in advance and made sure those signals are reviewed together, not separately.
That means looking closely at the basics that often make the difference in incidents like this. Stronger MFA and recovery controls, better restrictions on unmanaged access, more effective protection for cloud resources, and better visibility across the environment.
Kocho’s SOC team is working with clients on those areas now, helping them understand where exposure sits and which changes will have the greatest effect.
If you have any concerns or would like to discuss how best to mitigate against the rising tide of identity-based attacks, please get in touch our team today.
About Storm-2949
Storm-2949 is a threat campaign that turns a single compromised user account into broad access across cloud environments.
-
Targeted social engineering and abuse of self-service password reset to take over user identities, including privileged accounts.
-
Operates largely through legitimate Microsoft 365 and Azure features, so activity appears similar to normal administration.
-
Uses compromised identities to move across services such as Entra ID, Azure, and cloud storage, expanding access and control.
-
Focused on large-scale data theft from cloud applications, storage, and production systems.
Become Greater
Keep one step ahead of the cyber attackers
Sign up to the Kocho newsletter to get exclusive news, the latest threat reports, Microsoft tech updates, and expert analysis from our cybersecurity specialists.
Plus invites to webinars and industry events.
