Listen to this Post

Introduction
In a sophisticated cyberattack campaign tracked as Storm-2949, threat actors exploited Microsoft Entra ID (formerly Azure AD) accounts to systematically steal sensitive data from Microsoft 365 and Azure environments. Rather than deploying traditional malware, Storm-2949 leveraged legitimate cloud management features and social engineering to bypass multi-factor authentication (MFA) and gain persistent access. This article examines the technical intricacies of the attack chain, provides actionable defensive commands, and outlines detection strategies for security professionals responsible for safeguarding identity infrastructure.
Learning Objectives
- Identify the social engineering and token theft techniques used to compromise Entra ID accounts.
- Implement Windows and Linux commands, KQL queries, and conditional access policies to detect and block malicious OAuth consent grants and token abuse.
- Apply incident response procedures, including revoking tokens and removing malicious service principals, to contain a compromised tenant.
You Should Know
- Initial Compromise: Social Engineering and MFA Reset Abuse
The Storm-2949 campaign typically begins with targeted social engineering. Attackers impersonate internal IT support personnel, contacting employees under the guise of routine account verification or password reset procedures. Victims are persuaded to approve MFA requests they did not initiate. Once approval is granted, attackers reset account passwords and remove existing authentication methods—including phone numbers, email addresses, and Microsoft Authenticator registrations—effectively locking out legitimate users. Attackers then register their own devices for Microsoft Authenticator access, ensuring persistent control over compromised accounts.
Step-by-Step Guide to Detect MFA Reset Abuse:
To monitor for unauthorized MFA method changes or password resets by non-IT personnel, configure auditing in Microsoft Entra ID and run the following KQL (Kusto Query Language) queries in Microsoft Sentinel or Log Analytics:
// Detect password resets initiated by non-admin accounts AuditLogs | where OperationName == "Reset user password" | where InitiatedBy.user.userPrincipalName != "[email protected]" | project TimeGenerated, InitiatedBy.user.userPrincipalName, TargetResources
// Detect removal of MFA authentication methods AuditLogs | where OperationName == "Remove authentication method" | extend UserAgent = tostring(AdditionalDetails[bash].value) | project TimeGenerated, InitiatedBy.user.userPrincipalName, TargetResources
To proactively harden against such attacks, implement an emergency break-glass account policy. Create a cloud-only global administrator account with a complex password stored in an offline secure vault, and ensure Conditional Access policies exclude this account from MFA requirements to prevent administrative lockout during incidents.
2. Post-Compromise Reconnaissance with Microsoft Graph API
After gaining initial access, Storm-2949 conducts directory discovery operations using Microsoft Graph API queries executed through custom Python scripts. Attackers enumerate users, applications, and service principals within the Microsoft Entra ID tenant to identify privileged accounts and map potential lateral movement paths. The attackers also use tools like ROADrecon—an open-source Azure AD exploration framework—to dump tenant configuration information for both red team and blue team analysis.
Step-by-Step Guide: Using ROADrecon for Defensive Auditing
Blue teams can use the same ROADrecon tool defensively to audit their tenant configuration. Install and run ROADrecon as follows:
Install ROADrecon from PyPI (Linux/Windows/macOS) pip install roadrecon Authenticate to Entra ID (browser popup will request login) roadrecon auth Collect all available tenant information roadrecon gather Generate an interactive GUI dashboard for analysis roadrecon gui Query specific data from the command line roadrecon users --query "SELECT userPrincipalName, accountEnabled FROM users WHERE isAdmin = 1"
ROADrecon uses an automatically generated metadata model to create an SQLAlchemy-backed database on disk, enabling fast offline analysis of Azure AD Graph information. For continuous monitoring, schedule periodic `roadrecon gather` runs and compare outputs to identify unauthorized application registrations or new service principals.
3. Establishing Persistence via Malicious OAuth Applications
Hackers are increasingly abusing OAuth applications in Microsoft Entra ID to gain persistent access, blending in as normal “business integrations” while retaining access even after defenders reset passwords. Attackers create fake OAuth apps with deceptive consent prompts and redirect URLs, then convince users to grant consent. These malicious integrations can remain valid even after the original consenting user is disabled and may help bypass MFA via application access tokens.
Step-by-Step Guide: Auditing and Restricting OAuth Applications
- Restrict User Consent (Recommended): Navigate to Microsoft Entra admin center > Enterprise Applications > Consent and permissions > User consent settings. Set to “Allow user consent for apps from verified publishers only” or “Do not allow user consent.”
-
Enforce Admin Consent Workflow: Under the same settings, enable “Admin consent requests” so that any app request requiring elevated permissions triggers a designated reviewer’s approval.
-
Audit Existing Applications Using PowerShell: Run the following PowerShell cmdlets (requires Exchange Online and Azure AD modules):
Connect to Azure AD
Connect-AzureAD
List all OAuth applications with high-risk permissions
Get-AzureADServicePrincipal -All $true | ForEach-Object {
$perms = Get-AzureADServicePrincipalOAuth2PermissionGrant -ObjectId $<em>.ObjectId
if ($perms.Scope -match "Mail.Read|Files.ReadWrite.All|Directory.ReadWrite.All") {
Write-Output "High-Risk App: $($</em>.DisplayName) - AppId: $($_.AppId)"
}
}
Check for apps created in the last 7 days (potential recent compromise)
$cutoffDate = (Get-Date).AddDays(-7)
Get-AzureADServicePrincipal -All $true | Where-Object { $_.CreatedDateTime -gt $cutoffDate }
- Revoke Tokens for Suspicious Applications: If a malicious OAuth app is identified, revoke all tokens and disable the service principal:
Revoke all refresh tokens for a specific user Revoke-AzureADUserAllRefreshToken -ObjectId <user-object-id> Remove malicious service principal Remove-AzureADServicePrincipal -ObjectId <service-principal-object-id>
For Windows environments, you can also use the Microsoft Graph PowerShell SDK:
Connect-MgGraph -Scopes "Application.ReadWrite.All", "User.Read.All" Remove-MgServicePrincipal -ServicePrincipalId "<service-principal-id>"
- Data Exfiltration from OneDrive, SharePoint, and Azure Resources
With compromised identities under their control, Storm-2949 shifts attention to Azure subscriptions connected to the organization’s production environment. The accounts they compromise reportedly possess privileged custom Azure role-based access control (RBAC) permissions, enabling broader access to Azure services. Microsoft reports that attackers targeted Azure App Services, Key Vaults, Storage accounts, SQL databases, and virtual machines. One of their primary objectives involves compromising production Azure App Service web applications and exfiltrating connection strings and secrets from Key Vaults. Attackers use the OneDrive web interface to download thousands of files in a single operation.
Step-by-Step Guide: Monitoring and Blocking Data Exfiltration
- Detect Bulk File Downloads from OneDrive/SharePoint: Use KQL to identify anomalous download volumes:
OfficeActivity | where Operation == "FileDownloaded" | summarize DownloadCount = count(), FileList = make_set(Item) by UserId, IPAddress, bin(TimeGenerated, 1h) | where DownloadCount > 500 | project TimeGenerated, UserId, IPAddress, DownloadCount
- Monitor for Unusual Azure Key Vault Access: Query Azure Activity logs for Key Vault secret enumeration:
AzureActivity | where ResourceProvider == "MICROSOFT.KEYVAULT" and OperationName == "VaultGetSecret" | extend UserAgent = tostring(Properties.claims."xms_az_client_request_agent") | project TimeGenerated, Caller, ResourceGroup, Resource
- Configure Alerts for Suspicious Graph API Activity: In Microsoft Sentinel, create detection rules for API calls from unexpected locations or with unusual user agents. The attackers used custom Python scripts to execute Graph API queries—detecting such non-browser user agents is critical.
-
Revoke Refresh Tokens After Incident Containment: Once a breach is confirmed, immediately revoke all refresh tokens for compromised accounts and force reauthentication:
For a compromised user account (Windows PowerShell with AzureAD module) Revoke-AzureADUserAllRefreshToken -ObjectId <compromised-user-UPN> Alternatively, using Microsoft Graph API (Linux/macOS with curl) curl -X POST "https://graph.microsoft.com/v1.0/users/<user-id>/revokeSignInSessions" \ -H "Authorization: Bearer $ACCESS_TOKEN"
5. Disable and Isolate Compromised Accounts Immediately:
Disable a compromised user account Set-AzureADUser -ObjectId <user-id> -AccountEnabled $false Force password reset Set-AzureADUserPassword -ObjectId <user-id> -ForceChangePasswordNextLogin $true
5. Lateral Movement via Hybrid Entra ID Environments
Attackers with on-premises Active Directory control can manipulate Seamless Single Sign-On (SSO) configurations to forge Kerberos service tickets for any user in the tenant. By adding backdoor keys to the OnPremAuthenticationFlowPolicy, threat actors can bypass MFA undetected. This technique involves injecting custom symmetric keys into the policy’s KeysInformation array, enabling RC4-encrypted Kerberos ticket generation for any domain user. Microsoft’s audit logs provide no visibility into these modifications, making detection extremely challenging.
Step-by-Step Guide: Hardening Hybrid Entra ID Against Lateral Movement
- Detect Unauthorized Authentication Policy Modifications: Query the Entra ID audit logs for changes to authentication policies:
AuditLogs | where Category == "Policy" and OperationName == "Update authentication policy" | project TimeGenerated, InitiatedBy.user.userPrincipalName, TargetResources
- Enforce Hard Matching in Entra ID Connect: To prevent cloud-only account takeovers via on-premises compromise, enable hard matching for directory synchronization. This ensures that only accounts with verified on-premises identities can synchronize to the cloud. Navigate to Entra ID Connect > Properties > Prevent accidental deletion and configure matching rules strictly.
-
Implement Principle of Least Privilege for Directory Sync Accounts: The Directory Synchronization account should have only the minimum required permissions—no global admin or enterprise admin privileges. Regularly rotate the AD Connect service account password every 30-60 days.
-
Monitor for Suspicious Exchange Hybrid Certificate Abuse: Attackers can extract Exchange hybrid certificates from on-premises servers and request Service-to-Service (S2S) actor tokens that provide unrestricted access to Exchange Online and SharePoint without user context. Use this KQL query to detect abnormal S2S token usage:
AuditLogs | where InitiatedBy.user.userDisplayName == "Office 365 Exchange Online" | where OperationName contains "Send" or OperationName contains "Access" | summarize Count = count() by UserId, IPAddress, bin(TimeGenerated, 1h)
- Device Code Phishing: Bypassing MFA via OAuth Device Authorization Flow
An emerging attack vector abuses the OAuth 2.0 Device Authorization Flow (RFC 8628), designed for input-constrained devices like smart TVs and IoT equipment. Attackers request a device code from Microsoft Entra ID via legitimate APIs, then trick users into visiting `microsoft.com/devicelogin` and entering the provided code. Once the victim authenticates (including completing MFA), the attacker retrieves the resulting access and refresh tokens—effectively bypassing all authentication controls without ever stealing credentials. These refresh tokens can remain valid for months, and the technique has been commercialized as Phishing-as-a-Service tooling like EvilTokens targeting Microsoft 365 environments.
Step-by-Step Guide: Detecting and Blocking Device Code Phishing
- Identify Suspicious Device Code Flow Requests: Monitor Entra ID sign-in logs for the authentication method “Device Code Flow”:
SigninLogs | where AuthenticationRequirement == "singleFactorAuthentication" | where AuthenticationProtocol == "deviceCode" | where AppDisplayName contains "Microsoft Office" | summarize Count = count() by UserPrincipalName, IPAddress, UserAgent, bin(TimeGenerated, 1h)
- Block Device Code Flow via Conditional Access: Create a Conditional Access policy targeting all users with the condition “Device Code Flow” as a grant control, and set “Block access”. This immediately neutralizes device code phishing campaigns without impacting legitimate users who rely on password-based authentication.
-
Enforce Token Lifetime and Rotation Policies: Configure token lifetime policies in Microsoft Entra ID to limit the validity period of refresh tokens. Use PowerShell to set a maximum token lifetime:
Create token lifetime policy (max session lifetime 8 hours)
New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxInactiveTime":"08:00:00","MaxAgeMultiFactor":"08:00:00"}}') `
-DisplayName "TokenLifetimePolicy" `
-Type "TokenLifetimePolicy"
Apply to service principal
Add-AzureADServicePrincipalPolicy -Id <service-principal-id> -RefObjectId <policy-id>
- User Education for Device Code Phishing: Train users to recognize that legitimate IT will never ask them to enter a device code received via unsolicited email or messaging. The legitimate `microsoft.com/devicelogin` page should only be used when the user themselves initiated a device registration process.
What Undercode Say:
The Storm-2949 campaign represents a fundamental shift in cloud identity attacks—moving from brute-force credential theft to abuse of trusted authentication protocols and legitimate management features. Key takeaways for security professionals:
- MFA Is Not a Silver Bullet: Attackers bypassed MFA not by cracking it, but by manipulating users into approving MFA prompts and OAuth consents. Organizations must treat MFA as one layer in a defense-in-depth strategy—not a standalone solution. Implement phishing-resistant MFA methods (FIDO2 security keys or Windows Hello for Business) for all privileged accounts.
-
Legitimate Tools Become Attack Weapons: Storm-2949’s use of Microsoft Graph API, OAuth consent flows, and device authorization protocols demonstrates that modern cloud attacks exploit features, not flaws. Security teams must shift from reactive signature-based detection to behavioral analytics that baseline normal user and application behavior.
-
Entra ID Deserves the Same Rigor as On-Premises AD: Many organizations secure their on-premises Active Directory with privileged access workstations and tiered administration, but neglect comparable controls for cloud identity. Apply zero-trust principles equally—requiring Just-In-Time (JIT) access for global admins, continuously auditing service principals and OAuth apps, and isolating break-glass accounts from daily administrative activity.
-
Token Hygiene Is Critical: The persistence of refresh tokens—which remain valid after password resets and can last months—is a massive blind spot. Implement token lifetime policies, enforce frequent reauthentication for sensitive roles, and establish automated incident response playbooks that revoke all tokens for compromised accounts immediately upon detection.
-
Continuous Monitoring Across the Kill Chain: Detection must extend from initial access (unusual MFA method changes) through reconnaissance (bulk Graph API queries) to exfiltration (large-volume OneDrive downloads). Integrate Entra ID audit logs, Office 365 activity logs, and Azure resource logs into a centralized SIEM with analytics focused on identity-centric indicators of compromise.
Prediction:
The Storm-2949 attack blueprint will likely be adopted and commoditized by lower-skilled threat actors through Phishing-as-a-Service (PhaaS) offerings, similar to EvilTokens. As Microsoft continues to roll out passkey support and phishing-resistant MFA broadly, attackers will pivot from credential phishing to consent phishing and token theft—targeting the OAuth authorization layer rather than the authentication layer. Organizations can expect a surge in malicious OAuth application campaigns throughout 2026, with attackers focusing on supply chain vectors (compromised VS Code extensions, CI/CD tokens) as initial entry points into Entra ID tenants. Defenders must prioritize application governance, privileged access management for cloud identities, and real-time token revocation capabilities as core components of their identity security programs.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Tushar Subhra – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


