Although Storm-0501 had valid credentials, it didn’t have the necessary second MFA factors, nor was it able to satisfy policy conditions. They could, however, leverage on-premises control to pivot across Active Directory domains and find a non-human synced global admin identity that lacked MFA to reset the user’s on-premises password, sign in to the Azure portal as a global admin account, and achieve complete control over the domain while establishing a persistence mechanism.
Microsoft says Storm-0501 created a backdoor using a maliciously added federated domain, enabling them to sign in as almost any user, map out the entire environment, and understand its protections. The threat actor then targeted the organization’s Azure Storage accounts, exfiltrating data to its own infrastructure.
After exfiltrating all the data, the group then mass-deleted Azure resources, including backups. For those files that could not be deleted due to Azure resource locks and Azure Storage immutability policies, the threat actor just encrypted everything in the cloud and began the extortion phase, contacting the victims using the Microsoft Teams account of one of the previously compromised users.
