Microsoft has been tracking a threat actor dubbed Storm-2949 that's stealing data from Microsoft 365 and Azure tenants — and notably, they're doing it without malware. They're abusing the same cloud features your team uses every day.

How the attack works

• Social engineering, not exploits. Attackers call or message users pretending to be internal IT, then walk them through Microsoft's Self-Service Password Reset flow and push them to approve an MFA prompt.
• They take over the account. Once in, they reset the password, register their own authenticator app, and lock the real user out.
• They look like an admin. Using Microsoft Graph API and Python scripts, they enumerate users, privileges, and files — then bulk-download from OneDrive and SharePoint.
• They pivot into Azure. Compromised accounts are used to crack open Key Vaults, generate Shared Access Signature (SAS) tokens for storage, modify SQL firewall rules, and create backdoor accounts on VMs via the VMAccess extension.
• They cover their tracks. Defender is disabled where possible and event logs are cleared.

What we're already doing to protect Boston Managed IT clients

If you're on one of our managed plans, a lot of the defensive work is already in motion. Specifically, we:

• Enforce MFA across every tenant we manage, and are actively migrating privileged accounts to phishing-resistant methods (FIDO2 / Windows Hello / number-matching).
• Lock down Self-Service Password Reset with strict verification methods and conditional access — the exact entry point Storm-2949 abuses.
• Apply Conditional Access baselines that block legacy authentication, require compliant or hybrid-joined devices for admin actions, and flag risky sign-ins for review.
• 24/7 SOC monitoring of Entra ID via Huntress Managed ITDR, with detections for suspicious sign-ins, rogue MFA method registration, mass file downloads from OneDrive/SharePoint, and Graph API enumeration patterns — with active response when something fires.
• Audit Azure role assignments and Key Vault / storage exposure on a recurring basis, and restrict standing Global Admin to break-glass accounts only.
• Block known malicious infrastructure — the Storm-2949 ScreenConnect IPs listed below are already covered through Huntress's threat intel feed.
• Run user-awareness training and phishing simulations so your team knows that a real BMIT technician will never call and ask you to approve an MFA prompt you didn't initiate.

If you're not currently a BMIT client — start here

Even without a managed services contract, there are concrete things you can do this week to dramatically reduce your exposure to this attack:

1. Turn on phishing-resistant MFA for every admin in your tenant. Push-approval MFA is the exact thing this attack defeats. FIDO2 security keys or Windows Hello for Business are the bar to clear.
2. Tighten Self-Service Password Reset. Require at least two methods, exclude SMS, and consider disabling SSPR for privileged roles entirely.
3. Review who has Global Administrator. If the answer is "more than two people," that's too many. Move day-to-day admins to role-specific assignments (Exchange Admin, User Admin, etc.) and use Privileged Identity Management for just-in-time elevation.
4. Tell your team, in writing, that IT will never call and ask them to approve an MFA prompt. Give them a phone number to call back on to verify. Most of these attacks die at this step if the user pauses.
5. Check your Entra ID sign-in logs for sign-ins from the IPs listed below, and for any users who have had a new authenticator method registered in the last 30 days that they didn't initiate.
6. Review your Azure tenant for Key Vaults and storage accounts exposed to the public internet, recently created SAS tokens, and any VMs with new local administrator accounts.
7. Get a second set of eyes on your tenant. If you'd like a no-obligation review, we offer a complimentary Microsoft 365 security assessment — we'll run it against the exact techniques Storm-2949 uses and send you a written report.

Indicators of compromise

Microsoft published these IPs tied to Storm-2949's ScreenConnect infrastructure — worth blocking and alerting on:

• 176.123.4.44
• 91.208.197.87
• 185.241.208.243

If you're already a client and want us to walk through your tenant's posture against this specific threat, open a ticket and we'll get it scheduled. If you're not yet a client and want that complimentary assessment, reply here or email sales@bostonmit.com.

Source: CyberSecurityNews — Hackers Abuse Microsoft Entra ID Accounts