Microsoft and Cloud Tool Abuse

Last Updated on May 26, 2026 by Arnav Sharma

The past three weeks have delivered a concentrated cluster of high-severity threats targeting Microsoft cloud and endpoint infrastructure. From a threat actor abusing a built-in Azure password reset feature to two actively exploited Microsoft Defender zero-days and a new Exchange Server zero-day confirmed by CISA, the attack surface for enterprise environments running Microsoft tooling has expanded materially. This briefing consolidates the key campaigns, affected systems, CVE details, and mitigation priorities for security architects operating in hybrid or cloud-first environments.

---

Storm-2949 and the Microsoft and Cloud Tool Abuse Campaign Built on SSPR Hijacking

On May 18, 2026, Microsoft’s Defender Security Research team published a detailed breakdown of Storm-2949, a threat actor conducting what the team described as a “methodical, sophisticated, and multi-layered” campaign against Microsoft 365 and Azure production environments. The defining characteristic of this campaign is that it relies almost entirely on legitimate Microsoft administration features rather than traditional malware.

The campaign targets privileged users, specifically IT personnel and senior leadership, using their phone numbers and Microsoft 365 email addresses to initiate attacks via social engineering.

How SSPR Abuse Works: Step by Step

Self-Service Password Reset is a native Microsoft feature that allows employees to reset their own passwords without IT desk involvement. When a user triggers a reset, Microsoft sends an MFA prompt to the user’s registered secondary device. Storm-2949 weaponizes this flow as follows:

1. The attacker identifies a target with a privileged Entra ID role inside the victim organization.
2. The attacker initiates the SSPR flow on behalf of that target user.
3. Simultaneously, the attacker phones the victim, impersonating an internal IT support representative requiring urgent account verification.
4. The victim, believing the MFA prompt is legitimate, approves it.
5. The attacker resets the account password, removes all existing MFA methods registered by the legitimate user, and enrolls Microsoft Authenticator on their own device.

The legitimate user loses access instantly. The attacker gains persistent, MFA-protected control of a privileged account. No malware was installed, no vulnerability was exploited, and the initial entry leaves minimal forensic footprint in traditional security tooling.

Phase 2: Full Azure Infrastructure Takeover

After hijacking initial credentials, Storm-2949 runs a custom Python script against the Microsoft Graph API to enumerate users, roles, applications, and service principals across the tenant. They then repeat the SSPR technique to compromise additional accounts, building a portfolio of privileged identities with different access scopes.

The Azure infrastructure phase involves systematic abuse of legitimate management operations:

• Azure App Services: The attacker invokes microsoft.Web/sites/publishxml/action to retrieve a web app’s publishing profile, which contains FTP, Web Deploy, and Kudu management credentials. Through the Kudu console, they browse the file system and execute remote commands inside application context.
• Azure Key Vault: Using the compromised identity’s Owner role, Storm-2949 manipulates access configurations and extracts secrets, including database connection strings and service credentials, within a documented window of approximately four minutes.
• Azure Storage and SQL: The attacker uses microsoft.sql/servers/firewallrules/write to open SQL server firewall access, exfiltrates data using stolen credentials, then deletes the modified firewall rules to eliminate the trail. Storage account keys and SAS tokens are extracted via microsoft.Storage/storageAccounts/listkeys/action and used to download large volumes of blob data through a custom Azure SDK Python script.
• Azure Virtual Machines: Storm-2949 deploys the VMAccess extension to create rogue local administrator accounts on targeted VMs. The Run Command feature is then used to execute PowerShell scripts that disable Microsoft Defender real-time protection and behavior monitoring, install ScreenConnect as a persistent remote access backdoor, and then clear Windows event logs and delete command history to complicate forensic investigation.

Key Indicators of Compromise for Storm-2949

Block the following known IOCs at your network perimeter immediately:

• 176.123.4[.]44
• 91.208.197[.]87
• 185.241.208[.]243 (ScreenConnect C2 instance)

---

Microsoft Defender Zero-Days Under Active Exploitation

On May 20, 2026, CISA added two Microsoft Defender vulnerabilities to its Known Exploited Vulnerabilities catalog, confirming in-the-wild exploitation.

CVE Summary Table

CVE	Type	CVSS	Status	Fixed Version
CVE-2026-41091	Privilege Escalation (LPE)	7.8	Exploited in Wild	Defender Platform 1.1.26040.8
CVE-2026-45498	Denial of Service	4.0	Exploited in Wild	Defender Platform 4.18.26040.7
CVE-2026-33825	Privilege Escalation (LPE)	High	Publicly Disclosed (PoC)	Patched April 2026

CVE-2026-41091: Privilege Escalation via Link Following

CVE-2026-41091 carries a CVSS score of 7.8 and affects the Microsoft Malware Protection Engine. The root cause is improper link resolution before file access, a class of vulnerability often described as “link following.” An authenticated local attacker exploits this weakness by causing Defender to follow crafted symbolic links or junctions and operate on attacker-controlled paths, ultimately gaining SYSTEM-level privileges on the affected host. Both vulnerability disclosure and confirmed exploitation are public. Microsoft has released fixes in Defender Antimalware Platform version 1.1.26040.8.

The practical implication for defenders is significant: an attacker who has already achieved initial access through phishing or credential abuse can use this flaw to fully own the endpoint. In the Storm-2949 chain, Storm-2949 disables Defender first, then installs ScreenConnect. This LPE flaw provides an alternative escalation path even before Defender is disabled.

CVE-2026-45498: Denial of Service That Blinds Your Defenses

CVE-2026-45498 targets the Microsoft Defender Antimalware Platform at a CVSS score of 4.0. The vulnerability allows an attacker to crash or impair Defender’s protection capabilities without requiring privileges or user interaction. While the CVSS score looks low in isolation, the operational impact is disproportionately dangerous. Knocking Defender offline creates a window for follow-on malware deployment or evidence erasure that legacy alert correlation systems may miss entirely if they depend on Defender telemetry. The last vulnerable platform version is 4.18.26030.3011; fixes are in version 4.18.26040.7.

April Context: BlueHammer and the Defender Vulnerability Chain

Two additional Defender vulnerabilities merit awareness for defenders piecing together the broader pattern. CVE-2026-33825, disclosed by researcher Nightmare-Eclipse on April 7, 2026 alongside a working proof-of-concept exploit named “BlueHammer,” enables local privilege escalation from an unprivileged user to SYSTEM level on fully patched Windows 10 and Windows 11. A second related flaw, CVE-2026-45584, also affecting Defender, has been disclosed but is not yet confirmed as exploited. These three vulnerabilities together demonstrate a consistent research and exploitation focus on Defender as an escalation and bypass target, not merely a malware detection layer.

---

Exchange Server OWA Zero-Day: CVE-2026-42897

Two days after Microsoft’s May 2026 Patch Tuesday, which patched 138 vulnerabilities and was notable for containing no zero-days, Microsoft disclosed CVE-2026-42897 on May 14, 2026: an actively exploited zero-day in Exchange Server’s Outlook Web Access component.

Attack Vector and Affected Versions

CVE-2026-42897 is a cross-site scripting vulnerability in Exchange OWA, rated CVSS 8.1. An attacker sends a specially crafted email to a target. When the recipient opens the message in OWA and certain interaction conditions are met, arbitrary JavaScript executes in the browser session. This provides the attacker with a path to session hijacking, credential theft, and spoofed communications, all without requiring administrative privileges or compromise of the underlying OS.

Affected versions:

• Exchange Server 2016
• Exchange Server 2019
• Exchange Server Subscription Edition (SE) RTM

Exchange Online is not affected. Organizations fully migrated to cloud-hosted Exchange carry no exposure from this specific vulnerability.

CISA added CVE-2026-42897 to its KEV catalog on May 15, 2026, setting a remediation deadline of May 29 for Federal Civilian Executive Branch agencies. A permanent patch was still in development at time of publication.

Interim Mitigation Options

Microsoft released automatic mitigation through the Exchange Emergency Mitigation (EM) Service for Exchange Server 2016, 2019, and SE. For organizations with the EM Service enabled, protections are applied automatically. For those running without the EM Service, or on Exchange Server versions without Extended Security Updates enrollment, manual mitigation steps are required. Administrators should consult the Microsoft Exchange Team’s Community Hub post from May 14, 2026 for the current EM Service status and any known interaction issues with the interim mitigation applied to OWA.

---

OAuth Device Code Phishing and the EvilTokens PaaS Surge

While the above vulnerabilities represent discrete CVEs, OAuth device code phishing represents a structural abuse of legitimate Microsoft authentication design, and its scale has grown dramatically in 2026.

How Device Code Phishing Bypasses MFA

The OAuth device authorization flow (RFC 8628) was designed for devices with limited input capability, such as smart TVs or conference room screens. Attackers weaponize it as follows:

1. The attacker generates a legitimate device code using an attacker-registered Azure application.
2. The victim receives a phishing message, often impersonating DocuSign, Adobe Acrobat, or SharePoint, with a verification code and instructions to visit microsoft.com/devicelogin (a legitimate Microsoft URL).
3. The victim enters the code and completes their usual MFA challenge, believing they are completing a legitimate sign-in.
4. The attacker receives a valid access token.

The attack is particularly dangerous because MFA provides no protection: the victim completes the MFA challenge themselves on behalf of the attacker. Harvested refresh tokens persist for up to 90 days and self-renew on each use. In advanced scenarios, attackers convert refresh tokens into Primary Refresh Tokens (PRTs), which enable single sign-on across all Microsoft 365 services and survive password resets.

EvilTokens Scale and Sector Targeting

EvilTokens launched as a Phishing-as-a-Service platform on Telegram on February 16, 2026. The platform offered tiered services covering email delivery, token capture, and SMTP relay capabilities, with AI-assisted features to tailor lure content against enterprise email filtering.

Between February 19 and March 2026, a single EvilTokens campaign compromised more than 340 Microsoft 365 organizations across the United States, Canada, Australia, New Zealand, and Germany. Sectors targeted included construction, financial services, healthcare, government, and manufacturing. Push Security documented a 37.5x surge in device code phishing infrastructure by April 4, 2026.

Russia-aligned state actors, including Storm-2372, UTA0304, UTA0307, and UNK_AcademicFlare, adopted device code phishing against government, defense, NGO, and energy targets beginning in August 2024. Financially motivated actors followed in October 2025.

---

ScreenConnect and RMM Tool Weaponization

Remote monitoring and management tools are a consistent and growing target class in enterprise attacks. Two distinct threat vectors emerged in early-to-mid 2026.

CVE-2026-3564: Session Hijacking via Machine Key Extraction

ConnectWise disclosed CVE-2026-3564, a critical (CVSS 9.0) vulnerability in all ScreenConnect versions prior to 26.1, in March 2026. The root cause is improper verification of cryptographic signatures. Older versions of ScreenConnect stored unique ASP.NET machine keys per instance within server configuration files in plaintext. Under certain conditions, an unauthenticated attacker can extract this material from the filesystem or configuration data, then use it to generate or modify protected session values accepted by the instance as valid, enabling unauthorized session authentication and arbitrary actions within ScreenConnect. CISA added CVE-2026-3564 to its KEV catalog on April 28, 2026.

Because ScreenConnect is used to manage remote devices, a compromised instance gives attackers direct persistent access to every endpoint under management, bypassing traditional network perimeter defenses entirely.

Storm-2949’s ScreenConnect Deployment Pattern

In the Storm-2949 campaign, ScreenConnect is deployed not as an initial access vector but as a late-stage persistence mechanism after Azure infrastructure has been compromised. Storm-2949 installs ScreenConnect through the Azure VM Run Command feature after disabling Defender, ensuring that even if the compromised Entra identity is revoked, the attacker retains direct endpoint access. The ScreenConnect C2 at 185.241.208[.]243 is a confirmed IOC for this campaign.

---

Attack Chain Synthesis: How These Techniques Combine

These five threat areas are not isolated incidents. They represent a coherent, layered exploitation pattern targeting enterprise Microsoft environments from multiple angles simultaneously:

Stage	Technique	Relevant Campaign or CVE
Initial Access	SSPR social engineering	Storm-2949
Initial Access	OAuth device code phishing	EvilTokens / Storm-2372
Initial Access	Exchange OWA XSS email	CVE-2026-42897
Privilege Escalation	Defender LPE	CVE-2026-41091
Defense Evasion	Defender DoS / disable	CVE-2026-45498 / Storm-2949
Persistence	ScreenConnect backdoor	Storm-2949 / CVE-2026-3564
Lateral Movement	Azure VM Run Command / VMAccess	Storm-2949
Data Exfiltration	Key Vault, Storage, SQL, OneDrive	Storm-2949

The convergence of cloud identity abuse, endpoint security bypass, and remote access tool weaponization means that organizations defending any single layer in isolation carry material residual risk.

---

Enterprise Mitigation Playbook

Identity Layer Controls

Identity is the entry point for every significant attack in this briefing. Priority controls:

• Require phishing-resistant MFA for all privileged accounts. FIDO2 security keys and passkeys cannot be approved through a phone call, directly defeating the Storm-2949 SSPR social engineering technique.
• Block OAuth device code flow at the Conditional Access layer. Create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users, or implement an allowlist based on specific devices, operating systems, or named network locations if operational requirements prevent a full block.
• Enable Entra ID Protection to monitor and auto-remediate risky sign-ins and identity risks.
• Audit SSPR registration across all privileged accounts. Accounts with no registered MFA method at the time of an SSPR event represent an open enrollment opportunity for attackers.
• Monitor for MFA method changes in privileged accounts as a high-priority alert. Removal of all existing authentication methods followed by new device enrollment is a key Storm-2949 indicator.
• Rotate tokens and revoke refresh tokens for any accounts suspected of device code phishing compromise. Password resets alone do not invalidate stolen refresh tokens.

Endpoint and Defender Hardening

• Apply Defender platform updates immediately. Patched versions are 1.1.26040.8 (CVE-2026-41091) and 4.18.26040.7 (CVE-2026-45498). Defender platform updates typically deploy automatically via Windows Update and Microsoft Update, but verify deployment across all managed endpoints.
• Alert on Defender service state changes. Real-time protection disable events and behavior monitoring changes should trigger immediate investigation in SIEM.
• Patch CVE-2026-33825 (BlueHammer). The April 2026 patch must be confirmed across the environment, not assumed based on Patch Tuesday deployment.

Cloud Infrastructure Controls

• Restrict microsoft.Compute/virtualMachines/extensions/write and microsoft.Compute/virtualMachines/runCommands/actionto a minimal set of named service principals and admin accounts.
• Alert on VMAccess extension deployment outside of approved change windows. This is a documented Storm-2949 lateral movement technique.
• Audit Azure RBAC role assignments for service principals, particularly Owner and Contributor roles on Key Vaults and Storage Accounts.
• Enable Azure Key Vault logging and alert on bulk secret enumeration or extraction events.
• Block or audit microsoft.Storage/storageAccounts/listkeys/action to detect credential harvesting against storage accounts.
• Deploy Microsoft Defender for Cloud with VM extension protection enabled to detect VMAccess and Run Command abuse at runtime.
• Upgrade ScreenConnect to version 26.1 or later to close CVE-2026-3564. For on-premises deployments, review authentication activity logs for unauthorized session events predating the upgrade.

Email and Exchange Hardening

• Apply the Exchange Emergency Mitigation for CVE-2026-42897 immediately if running Exchange Server 2016, 2019, or SE.
• Verify EM Service status across all on-premises Exchange nodes. Organizations without EM Service enabled must apply manual mitigations.
• Restrict external OWA access to named IP ranges or require a VPN/Conditional Access proxy for internet-facing OWA endpoints.
• Audit Exchange environments for end-of-support risk. Exchange Server 2016 reaches end of mainstream support in October 2025. Organizations running without Extended Security Updates will receive no permanent fix for CVE-2026-42897.