Hackers Exploit Azure RBAC to Steal Key Vault Secrets

Storm-2949 executed a multi-stage cloud takeover by socially engineering Entra ID users to bypass MFA and reset credentials, performing directory reconnaissance via Microsoft Graph, and abusing Azure RBAC and Key Vault Owner permissions to extract secrets and access production resources; the attackers exfiltrated data from Microsoft 365, storage accounts, and databases, used VM extensions and remote management tools for persistence, and leveraged legitimate Microsoft cloud features to blend in, with several egress IPs and a ScreenConnect instance listed as IOCs.