Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: azure (3 articles)Clear

Storm-2949 abuses Microsoft 365 Self-Service Password Reset to hijack accounts, pivot from M365 into Azure production

Microsoft is tracking a financially motivated actor it calls Storm-2949 that abuses the Microsoft 365 Self-Service Password Reset flow to hijack high-value identities and then exfiltrate as much data as possible. The actor socially engineers IT staff and senior leaders, kicks off an SSPR reset, then poses as IT support and convinces the victim to approve the resulting MFA prompt. Once in, Storm-2949 uses Graph API and custom Python to enumerate the tenant, downloads thousands of OneDrive and SharePoint files in single actions, and pivots into Azure - VMs, Key Vaults, SQL, storage - via privileged custom RBAC roles.

Check
In Entra audit logs, find users who reset their password and within 24 hours added or had MFA removed. Pull Graph API calls enumerating users and service principals from new IPs.
Affected
Microsoft 365 tenants with SSPR enabled where help-desk identity is not strongly authenticated. High-privilege custom Azure RBAC roles assigned broadly amplify blast radius.
Fix
Require ticket-based identity verification for SSPR resets on admin and exec accounts. Enforce phishing-resistant FIDO2 MFA. Tighten custom-role assignments. Alert on mass OneDrive downloads via Defender for Cloud.

Azure Backup for AKS lets low-privileged Backup Contributors gain cluster-admin, Microsoft blocked CVE (VU#284781)

Microsoft has refused to issue a CVE for what an outside researcher and the CERT Coordination Center both describe as a privilege escalation in Azure Backup for Azure Kubernetes Service. The flaw lets a user holding only the low-privileged 'Backup Contributor' Azure role gain cluster-admin on AKS clusters, which Microsoft dismissed by saying the attacker 'already held administrator access.' CERT/CC validated the bug and tracked it as VU#284781. The researcher says Microsoft also tried to get MITRE to reject the submission as 'AI-generated content,' then quietly added new permission checks, suggesting a silent patch even as Microsoft says 'no product changes were made.'

Check
Audit Azure RBAC assignments on subscriptions hosting AKS clusters. Identify any users holding the 'Backup Contributor' role and verify they were intended to hold cluster-admin rights.
Affected
Azure Kubernetes Service clusters with Azure Backup for AKS enabled, where the 'Backup Contributor' role has been assigned. No CVE issued; CERT tracking ID VU#284781.
Fix
Restrict the 'Backup Contributor' role to trusted operators only. No vendor patch acknowledged; rely on least-privilege RBAC until Microsoft confirms a fix. Monitor MSRC for updates.

New 'ConsentFix v3' attack lets criminals take over Microsoft 365 accounts even when MFA and passkeys are turned on

Push Security disclosed ConsentFix v3, a new attack that lets criminals take over Microsoft 365 accounts even if the victim has MFA and phishing-resistant passkeys turned on. The trick: instead of stealing a password, the attacker tricks the user into pasting a Microsoft authorization URL into a phishing page during what looks like a routine login. That URL contains a one-time code that the attacker exchanges for permanent access tokens. v3 automates the whole attack with Cloudflare Pages phishing sites, Pipedream webhook automation, and tenant fingerprinting that customizes the lure to each target organization's branding.

Check
Brief any Microsoft 365 admin or developer that any 'verification step' that asks them to paste a URL containing 'localhost' into a webpage is hostile, no matter how legitimate the page looks.
Affected
Any Microsoft 365 / Entra ID tenant. The attack bypasses MFA, passkeys, and most Conditional Access policies by abusing pre-consented Microsoft first-party apps. Acute risk for organizations whose admins, developers, or DevOps engineers regularly use Azure CLI - those users won't suspect a fake Azure CLI authorization page. Cloudflare Pages and Pipedream both look legitimate in network telemetry.
Fix
Apply token binding to trusted devices and require Conditional Access for first-party Microsoft apps where possible. Hunt Azure sign-in logs for Azure CLI authentications from unfamiliar IPs, especially against accounts that don't normally use it. Train developers to verify out-of-band any 'verification step' that asks them to paste URLs into a webpage. Use app authentication restrictions to limit which first-party apps can issue refresh tokens.