Storm-2949 SSPR-to-Key-Vault Azure kill chain — voice-phishing SSPR → Entra ID → M365 Graph → App Service Kudu → Key Vault → SQL → Storage → Azure VM, no malware
campaign · item:storm-2949-sspr-to-key-vault-azure-cloud-wide-kill-chain
Coverage timeline
1
first 2026-05-20 → last 2026-05-20
Briefs
1
1 distinct
Sources cited
11
7 hosts
Sections touched
1
deep_dive
Co-occurring entities
0
no co-occurrence
Story timeline
- 2026-05-20CTI Daily Brief — 2026-05-20
Where this entity is cited
- deep_dive1
Source distribution
- attack.mitre.org5 (45%)
- bleepingcomputer.com1 (9%)
- cert.pl1 (9%)
- drupal.org1 (9%)
- microsoft.com1 (9%)
- msrc.microsoft.com1 (9%)
- stepsecurity.io1 (9%)
All cited sources (11)
- microsoft.comprimaryinlineMicrosoft Security Blog, 2026-05-18https://www.microsoft.com/en-us/security/blog/2026/05/18/storm-2949-turned-compromised-identity-into-cloud-wide-breach/
- attack.mitre.orginlineT1021.007 (Remote Services: Cloud Services)https://attack.mitre.org/techniques/T1021/007/
- attack.mitre.orginlineT1078.004 (Valid Accounts: Cloud Accounts)https://attack.mitre.org/techniques/T1078/004/
- attack.mitre.orginlineT1098.005 (Account Manipulation: Device Registration)https://attack.mitre.org/techniques/T1098/005/
- attack.mitre.orginlineT1552.001 (Unsecured Credentials: Credentials In Files)https://attack.mitre.org/techniques/T1552/001/
- attack.mitre.orginlineT1556.006 (Modify Authentication Process: Multi-Factor Authentication)https://attack.mitre.org/techniques/T1556/006/
- bleepingcomputer.cominlineBleepingComputer corroboration on 2026-05-19https://www.bleepingcomputer.com/news/security/microsoft-self-service-password-reset-abused-in-azure-data-theft-attacks/
- cert.plinlineCERT Polska CVE-2026-42096https://cert.pl/en/posts/2026/05/CVE-2026-42096/
- drupal.orginlineDrupal PSA-2026-05-18https://www.drupal.org/psa-2026-05-18
- msrc.microsoft.cominlineMSRC CVE-2026-41091https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41091
- stepsecurity.ioinlineStepSecurityhttps://www.stepsecurity.io/blog/actions-cool-issues-helper-github-action-compromised-all-tags-point-to-imposter-commit-that-exfiltrates-ci-cd-credentials
Items in briefs about Storm-2949 SSPR-to-Key-Vault Azure kill chain — voice-phishing SSPR → Entra ID → M365 Graph → App Service Kudu → Key Vault → SQL → Storage → Azure VM, no malware
No parsed item heading or body matches this entity yet. Items match by exact CVE id (for CVE entities), by lead-segment substring of the title in the item heading or body, or by a distinctive anchor token from the title appearing in the item heading. Coverage that lives inside a broader section (no per-item heading) is captured by the Story timeline above.