How Storm-2949 turned a compromised identity into a cloud-wide breach

Microsoft Threat Intelligence describes a sophisticated, identity-first campaign by Storm-2949 that leveraged social-engineered SSPR/MFA prompt abuse to gain Microsoft Entra ID credentials, then used Azure management-plane operations (Graph API, publish profile retrieval, Key Vault access, storage and SQL configuration changes, VM extensions/Run Command) and ScreenConnect RMM to move laterally and exfiltrate large volumes of sensitive data from Microsoft 365, Azure Storage, Azure SQL, and App Service environments; the report includes observed IOCs and detailed detection and mitigation recommendations.