- Microsoft researchers warn that Storm-2949 is abusing the self-service password reset flow to hijack accounts
- Attackers trick victims into approving MFA requests using phone calls, then reset passwords and exfiltrate sensitive data.
- The campaign targets Microsoft 365 and Azure environments, with Microsoft urging stricter RBAC controls and monitoring of high-risk operations.
A hacking group known as Storm-2949 is abusing the password reset feature in Microsoft services to steal people’s login credentials, access their accounts, and extract as much sensitive data as possible.
A new report published by the Microsoft Defender security research team claims that at the center of this campaign is the self-service password reset (SSPR) flow found in the Microsoft ecosystem.
Typically, when an employee forgets their credentials and clicks the “Forgot Password” button, Microsoft sends an MFA message to their registered secondary device. When the employee approves, they are allowed to set a new password through the same device on which the process was initially started.
how to defend
Storm-2949 was abusing it in highly targeted attacks. First, they would identify their target, obtain their phone number, as well as the email used to log into Microsoft services. Then, they would initiate the password reset flow and simultaneously call the victims on the phone.
They would present themselves as IT technicians and convince victims to approve the MFA message, effectively allowing them to create a new password.
The next step is to remove the victim from the account and extract as much information as possible.
The Microsoft Threat Intelligence team described the campaign as “methodical, sophisticated, and multi-layered” targeting Microsoft 365 applications, file hosting services, and production environments hosted on Azure.
“In one case, Storm-2949 used the OneDrive web interface to download thousands of files in a single action to its own infrastructure,” Microsoft said. “This pattern of data theft was repeated across all compromised user accounts, likely because different identities had access to different shared folders and directories.”
To defend against this campaign, Microsoft suggests users limit Azure RBAC permissions, retain Azure Key Vault logs for one year, reduce access to Key Vault, and restrict public access to Key Vaults. It also recommends using data protection options in Azure Storage and monitoring high-risk Azure management operations.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
