A threat actor targeting Microsoft 365 and Azure production environments is stealing data in attacks that abuse legitimate applications and administration features. Microsoft tracks the actor as Storm-2949 and says that the purpose of the attacks is "to exfiltrate as much sensitive data from a target organization’s high-value assets as possible." Storm-2949 used social engineering to target users with privileged roles, such as IT personnel or members of senior leadership, and obtain their Microsoft Entra ID credentials to gain access to data in Microsoft 365 applications. Microsoft believes that the actor abused the Self-Service Password Reset (SSPR) flow, in which an attacker initiates a password reset for a targeted employee’s account and then tricks the victim into approving multi-factor authentication (MFA) prompts. To make the ruse more convincing, the hacker poses as an IT support employee requiring urgent verification of the account. The hacker then reset the password, removed the MFA controls, and enrolled Microsoft Authenticator on their device. After hijacking the accounts, Storm-2949 used the Microsoft Graph API and custom Python scripts to enumerate users, roles, applications, and service principals, and to evaluate the long-term persistence opportunities in each case. Next, they accessed OneDrive and SharePoint in Microsoft 365, searching for VPN configurations and IT operational files, looking for remote access details that could help with lateral movement from the cloud into the endpoint network.