- Microsoft researchers warn that Storm-2949 is abusing the self-service password reset process to hijack accounts
- Attackers trick victims into accepting MFA prompts via phone calls, then reset passwords and exfiltrate sensitive data
- The campaign targets Microsoft 365 and Azure environments, where Microsoft is calling for tighter RBAC controls and monitoring of high-risk operations
A hacker group known as Storm-2949 is abusing the password reset feature in Microsoft services to steal people’s login credentials, gain access to their accounts, and exfiltrate as much sensitive data as possible.
A new report published by the Microsoft Defender Security Research Team claims that the core of this campaign is the Self-Service Password Reset (SSPR) flow found in the Microsoft ecosystem.
Normally, when an employee forgets their credentials and clicks the “Forgot my password” button, Microsoft sends an MFA prompt to their registered secondary device. Once the employee approves, they are allowed to set a new password through the same device that initiated the process in the first place.
how to defend
Storm-2949 abused it in highly targeted attacks. First, they would identify their target, get their phone number as well as the email used to log into Microsoft services. Then they would initiate the password reset stream and call the victims on the phone at the same time.
They would present themselves as IT technicians and would convince victims to accept the MFA prompt and effectively be allowed to create a new password.
The next step is to push the victim out of the account and exfiltrate as much information as possible.
The Microsoft Threat Intelligence team described the campaign as “methodical, sophisticated and multi-layered” targeting Microsoft 365 applications, file-hosting services and Azure-hosted production environments.
“In one instance, Storm-2949 used the OneDrive web interface to download thousands of files in a single action to their own infrastructure,” Microsoft said. “This pattern of data theft was repeated across all compromised user accounts, likely because different identities accessed different folders and shared folders.”
To defend against this campaign, Microsoft suggests that users limit Azure RBAC permissions, retain Azure Key Vault logs for one year, reduce access to Key Vault, and limit public access to Key Vaults. It also advises using data protection capabilities in Azure Storage and monitoring high-risk Azure management operations.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
