Attackers used social engineering, MFA prompts, Azure tools, Graph API, Key Vault, and VMAccess to infiltrate accounts, persist access, exfiltrate data.
In the recent Storm-2949 campaign, attackers had focused on Microsoft 365 and Azure environments, and had used social engineering to pose as internal IT support. Victims were tricked into approving multi-factor authentication prompts (MFA), during what seemed like routine password reset activity — giving the attackers a foothold in the account recovery process.
Once inside, the group had reportedly reset passwords, removed existing authentication methods, and enrolled their own devices so they could keep access. From there, the attackers moved deeper into cloud environments using legitimate administrative tools and permissions rather than obvious malware.
Now, Microsoft is phasing out SMS-based login codes for personal accounts, as it pushes users toward passkeys, authenticator apps, and verified email recovery. The change comes as the firm also warns that attackers are increasingly abusing identity systems rather than breaking them with malware. Storm-2949 attacks had used Azure features, Graph API queries, Key Vault access, the Run command, and VMAccess extensions to blend into normal operations while exfiltrating data from Microsoft 365, storage accounts, databases, and production web apps. That approach made the activity harder to spot and underscored how much damage can follow a single compromised identity.
Security researchers say the shift reflects a broader industry lesson: text-message verification is convenient, but it is also vulnerable to phishing, SIM swapping, and social engineering. Microsoft’s own guidance now emphasizes phishing-resistant MFA, including passkeys and FIDO2-style methods. That recommendation matters because attackers in campaigns like Storm-2949 have shown they can work around traditional defenses by tricking users into approving prompts instead of stealing passwords outright.
The firm has also issued defensive advice to firms: require phishing-resistant MFA for privileged users, enforce least-privilege access, monitor risky management actions, and reduce dependence on legacy authentication paths. Also, stronger logging, careful control of Azure extensions, and broader Defender protections across cloud workloads are recommended.
This is a signal that identity is now the main attack surface, and securing it has become as important as protecting the network itself.
