Password reset attacks are becoming a critical threat to cloud security, as Microsoft warns that a sophisticated threat actor known as Storm-2949 is systematically exploiting password-reset and multi-factor authentication (MFA) flows to hijack Microsoft 365 and Azure accounts. This attack pattern represents a fundamental shift in how adversaries compromise cloud environments—not through malware or zero-day exploits, but by weaponizing the legitimate identity and authentication features organizations depend on daily.
Key Takeaways
- Storm-2949 abuses Self-Service Password Reset flows by impersonating IT support to trick users into approving MFA prompts.
- Attackers remove existing authentication methods and enroll their own Microsoft Authenticator device for persistent access.
- The campaign targets Microsoft 365 and Azure environments, including OneDrive, SharePoint, App Services, and Key Vaults.
- Attackers use Microsoft Graph API queries and custom Python scripts to map tenants and enumerate users, roles, and applications.
- Post-compromise activity includes harvesting credentials, manipulating firewall rules, and deploying legitimate remote management tools like ScreenConnect.
How Password Reset Attacks Work Against Your Organization
The password reset attack methodology Storm-2949 employs is deceptively simple yet devastatingly effective. The attacker initiates a Self-Service Password Reset (SSPR) flow for a targeted user, then impersonates IT support staff to pressure the victim into approving MFA prompts. Once the user approves, the attacker resets the password and gains entry. The attacker then removes all existing authentication methods—phone numbers, email addresses, and Microsoft Authenticator registrations—before re-registering Microsoft Authenticator on their own device. This approach is methodical, sophisticated, and multi-layered, transforming a single compromised identity into a foothold for broader cloud compromise.
What makes this attack particularly dangerous is that it bypasses many organizations’ assumptions about MFA security. Most teams believe MFA provides ironclad protection, but social engineering of the password-reset flow demonstrates a critical vulnerability in that logic. The attacker does not need to crack passwords or exploit software flaws—they simply manipulate human behavior at a moment when users are conditioned to approve authentication requests.
From One Account to Cloud-Wide Breach
Once inside, Storm-2949 leverages the compromised account to expand access across the entire cloud environment. The attacker uses Microsoft Graph API queries to map the tenant, enumerate users, roles, applications, and service principals, then searches OneDrive and SharePoint for sensitive IT documentation—particularly VPN configurations and remote access procedures that unlock further compromise.
The campaign does not stop at data theft. Attackers systematically target high-value Azure resources. In Azure App Services, they harvest publishing profile credentials for deployment access. In Azure Key Vault, they extract database connection strings, identity credentials, and application secrets. They manipulate SQL firewall rules to extract database contents, use Azure Storage account keys to exfiltrate blob data over multiple days using custom Python scripts, and deploy ScreenConnect—a legitimate remote management tool—on virtual machines after disabling Microsoft Defender real-time protection. This multi-layered approach ensures persistence and maximizes data exfiltration while minimizing detection.
Why Traditional Security Fails Against This Attack
The Storm-2949 campaign relies entirely on legitimate administrative features rather than malware or traditional exploits, which is precisely why it evades many detection systems. Your endpoint protection, vulnerability scanning, and threat intelligence feeds are tuned to catch malicious code and known attack signatures. But when an attacker uses built-in Microsoft tools—password resets, MFA flows, Graph API, Azure administrative portals—there is no malware signature to flag. The attacker’s activities look identical to normal IT operations, making detection significantly harder.
Post-compromise activity includes harvesting .pfx certificate files and searching network shares for password strings, indicating the attacker is building a comprehensive map of your infrastructure for long-term exploitation. By the time detection occurs, the attacker has already exfiltrated sensitive data and established multiple persistence mechanisms.
How to Defend Against Password Reset Attacks
Microsoft recommends hardening your identity infrastructure to close the gaps Storm-2949 exploits. Implement phishing-resistant MFA—specifically, Windows Hello for Business, FIDO2 security keys, or certificate-based authentication—rather than relying on phone-based or email-based MFA flows that social engineering can compromise. Restrict who can approve password resets, require additional verification steps for sensitive accounts, and monitor SSPR activity for suspicious patterns such as multiple reset attempts or resets followed by immediate authentication method changes.
Enforce Azure role-based access control (RBAC) strictly, limiting which users can access sensitive resources like Key Vaults, Storage accounts, and SQL databases. Disable legacy authentication protocols and require conditional access policies that flag unusual sign-in patterns. Monitor Microsoft Graph API queries for suspicious enumeration activity, and maintain detailed audit logs of authentication method changes and administrative actions. Deploy Microsoft Defender for Cloud to detect unauthorized resource access and data exfiltration attempts.
Are password reset attacks only targeting Microsoft 365 and Azure?
No. While this particular campaign focuses on Microsoft environments, the underlying technique—abusing identity and access management features through social engineering—applies to any cloud platform. Organizations using AWS, Google Cloud, or hybrid environments should evaluate whether their password-reset and MFA flows are equally vulnerable to social engineering attacks.
Can MFA alone stop password reset attacks?
Not entirely. MFA can be bypassed if the attacker can socially engineer the user into approving MFA prompts during the password-reset flow. Phishing-resistant MFA like FIDO2 or Windows Hello provides stronger protection because it cannot be compromised through social engineering alone, but standard phone-based or app-based MFA is vulnerable to the tactics Storm-2949 uses.
What should I do if I suspect my organization has been compromised?
Immediately audit recent password resets, authentication method changes, and Azure administrative activity. Check for unauthorized ScreenConnect deployments, review Microsoft Defender logs for disabled real-time protection, and examine Key Vault and Storage account access logs for data exfiltration. Contact Microsoft Security Response Center and consider engaging a cloud forensics specialist to determine the scope of compromise and ensure all attacker persistence mechanisms are removed.
Password reset attacks represent a fundamental threat to cloud security because they exploit the trust users place in authentication workflows. Organizations that assume MFA is sufficient protection are leaving themselves exposed. The only effective defense is a layered approach: phishing-resistant MFA, strict access controls, continuous monitoring, and a security culture that treats password-reset requests with appropriate skepticism. Storm-2949 has demonstrated that in the cloud era, identity is the new perimeter, and attackers have learned to weaponize the features meant to protect it.
Edited by the All Things Geek team.
Source: TechRadar


