Dateline: May 19, 2026
Storm-2949 Hackers Target Microsoft Cloud Identity Systems
A threat group called Storm-2949 has launched a sophisticated attack campaign targeting Microsoft Entra ID accounts to steal sensitive data from Microsoft 365 and Azure environments. The multi-layered cloud attack represents a new evolution in corporate data theft methods.
What Happened?
Storm-2949 attackers exploited Microsoft Entra ID, the company’s cloud identity and access management service, to gain unauthorized access to corporate Microsoft 365 and Azure data stores. The threat actors used compromised Entra ID accounts as their primary entry point into target organizations.
The attack campaign demonstrated advanced persistence techniques, with hackers maintaining long-term access to victim environments. They moved laterally through cloud systems after establishing initial access through the identity management platform. Microsoft’s security researchers identified the campaign after detecting unusual authentication patterns and data access behaviors.
The attackers specifically targeted sensitive corporate information stored across Microsoft’s cloud ecosystem. They extracted data from SharePoint sites, OneDrive accounts, and Azure storage containers. The campaign appears designed for corporate espionage rather than immediate financial gain.
Security researchers noted the attackers’ sophisticated understanding of Microsoft’s cloud architecture. Storm-2949 exploited legitimate administrative functions within Entra ID to avoid detection by standard security monitoring tools.
The Impact
This attack highlights critical vulnerabilities in cloud identity management systems that millions of organizations rely on daily. Companies storing sensitive data in Microsoft 365 and Azure face direct exposure when identity systems become compromised. The campaign affects any organization using Microsoft Entra ID for employee access management.
The Storm-2949 attacks demonstrate how threat actors now target cloud infrastructure rather than traditional network perimeters. Corporate IT teams must rethink security strategies that assume cloud services provide inherent protection. When identity systems fail, attackers gain broad access to organizational data.
Expert analysis suggests this represents a broader shift toward cloud-focused attack methods. Traditional security tools often miss these attacks because they appear as legitimate user activity within trusted cloud platforms.
How to Avoid This
Organizations should implement multi-factor authentication across all Microsoft Entra ID accounts, especially for administrative users. Regular audits of user permissions and access logs can help detect unusual activity patterns before major data theft occurs. IT teams need monitoring tools specifically designed for cloud identity platforms.
Companies should review which employees have administrative access to Entra ID and limit those privileges to essential personnel only. Regular password updates and account reviews help reduce the window of opportunity for attackers who compromise credentials.
Security teams should monitor for unusual sign-in locations, times, and data access patterns within Microsoft 365 and Azure environments. Establishing baseline user behavior helps identify when accounts show signs of compromise.
Indicators of Compromise (IOCs)
Microsoft Threat Intelligence has published the following indicators tied to the Storm-2949 campaign. Security teams should hunt for these across sign-in logs, firewall logs, and network telemetry. IPs are defanged below; re-fang only inside controlled threat intelligence platforms.
How Secure.com Helps Defend Against Identity-Driven Cloud Attacks
The Storm-2949 campaign is a textbook case of identity becoming the new perimeter and of every downstream cloud control failing the moment that perimeter falls. The attackers didn’t deploy malware. They didn’t exploit a zero-day.
They exploited the gaps every security team already knows exist: over-permissioned RBAC roles, stale MFA registrations, Key Vault Owner assignments that should have been temporary, and SSPR workflows with no behavioral guardrails. These are not exotic problems. They are hygiene problems operating at machine speed.
Secure.com’s Digital Security Teammate is built for exactly this class of threat. Our IAM module continuously reviews access across Microsoft Entra ID, cloud platforms, and SaaS environments surfacing over-privileged accounts, orphaned identities, MFA gaps, and suspicious authentication-method changes the moment they occur. Our Misconfiguration module extends the same continuous oversight to MS 365 and Entra ID configuration drift, the very layer Storm-2949 exploited to neutralize MFA and register attacker-controlled devices.
And because identity findings are mapped into attack-path context rather than treated as isolated alerts, security teams see how a single compromised account could chain into Key Vault access, App Service publishing profiles, or Storage account key extraction before an attacker does.
The lesson from Storm-2949 is uncomfortable but clear: identity-driven attacks now move faster than human-paced reviews can catch them. The defense has to operate at the same tempo. A teammate that never sleeps, audits access continuously, and remediates drift in minutes is no longer a luxury, it is the baseline for any organization storing real value in the cloud.
