How Identity Attacks Can Spread Across the Cloud

A single compromised account can sometimes open the door to an entire cloud environment. That’s the key lesson from Microsoft’s recent report on the threat actor known as Storm-2949.

The attackers did not rely on traditional malware. Instead, they used social engineering and legitimate cloud management tools to quietly move through Microsoft 365 and Azure environments. Once they gained access to one identity, they expanded their reach by targeting additional accounts and cloud services.

How the attack worked

The campaign started with fake support-style interactions designed to trick users into approving authentication requests. After taking control of accounts, the attackers:

• Explored cloud directories and user permissions
• Accessed shared files and sensitive documents
• Targeted Azure services such as Key Vaults, storage accounts, and databases
• Used built-in administrative features to avoid raising suspicion
• Extracted large amounts of data from cloud systems

Why this matters

Modern attacks increasingly focus on identity instead of devices. If attackers gain access to privileged accounts, they can often move through cloud systems using normal administrative actions that appear legitimate.

Key security lessons

Organizations can reduce risk by:

• Using phishing-resistant MFA
• Limiting privileged access
• Monitoring unusual cloud activity
• Protecting secrets and credentials stored in cloud platforms
• Applying behavior-based threat detection

The report highlights an important shift in cybersecurity: attackers are now targeting the cloud control layer itself, not just endpoints or servers.

Original article: Microsoft Security Blog