Microsoft warns that hackers are exploiting password resets to gain access to user accounts: here’s how to stay safe

Microsoft researchers warn that Storm‑2949 is abusing the self-service password reset flow to hack accounts.
Attackers trick victims into approving MFA prompts via phone calls, then reset passwords and exfiltrate sensitive data.
The campaign targets Microsoft 365 and Azure environments, with Microsoft calling for stricter RBAC controls and monitoring of high-risk operations.

A group of hackers known as Storm-2949 are abusing the password reset feature of Microsoft services to steal users’ login credentials, gain access to their accounts, and exfiltrate as much sensitive data as possible.

A new report released by the Microsoft Defender Security Research team claims that the Self-Service Password Reset (SSPR) flow present in the Microsoft ecosystem is at the heart of this campaign.

Usually, when an employee forgets their credentials and clicks the “Forgot Password” button, Microsoft sends an MFA prompt to their registered secondary device. When the employee approves, they are allowed to set a new password through the same device on which the process was initially initiated.

How to defend

Storm 2949 abused it during very targeted attacks. First, they would identify their target, obtain their phone number, as well as the email used to connect to Microsoft services. Then, they would initiate the password reset process and simultaneously call the victims on the phone.

They would pose as computer technicians and convince victims to approve the MFA prompt, thereby being authorized to create a new password.

The next step is to kick the victim out of the account and exfiltrate as much information as possible.

The Microsoft Threat Intelligence team described the campaign as “methodical, sophisticated and multi-layered” targeting Microsoft 365 applications, file hosting services and production environments hosted by Azure.

“In one case, Storm-2949 used the OneDrive web interface to upload thousands of files in a single action to its own infrastructure,” Microsoft said. “This pattern of data theft was repeated across all compromised user accounts, likely because different identities had access to different shared folders and directories.”

To defend against this campaign, Microsoft suggests users limit Azure RBAC permissions, retain Azure Key Vault logs for one year, reduce access to Key Vault, and restrict public access to Key Vaults. It also advises using data protection options in Azure Storage and monitoring high-risk Azure management operations.