Microsoft 365 Users Targeted by Sophisticated Password Reset Attacks

Microsoft has issued a warning about a highly coordinated attack campaign targeting Microsoft 365 users. The threat group known as Storm-2949 is exploiting the password reset process to gain unauthorized access to accounts.

The campaign is described as methodical, sophisticated and multi-layered. Attackers use a combination of techniques including credential harvesting, social engineering and direct password reset manipulation. Once inside an account, they can access emails, files and other sensitive data.

How the Attack Works

Storm-2949 begins by gathering information about targets through public sources and data breaches. They then initiate password reset requests repeatedly. This floods the victim's inbox with reset notifications. If the user fails to notice or act, the attackers can intercept the reset process. They also use phishing emails that mimic legitimate Microsoft communications to trick users into providing verification codes.

The attackers often target high-value accounts such as executives, IT administrators and finance personnel. Once they gain access, they may use the compromised accounts to launch further attacks within the organization.

Who Is at Risk

Any organization using Microsoft 365 could be vulnerable. Small and medium businesses are particularly at risk because they often lack dedicated security teams. The campaign has been active since at least late 2023, with a recent uptick in activity.

Microsoft recommends enabling multi-factor authentication as the primary defense. Other steps include monitoring for unusual login attempts, training employees to recognize phishing and using conditional access policies.

Why This Matters

Password reset attacks are difficult to detect because they exploit legitimate account recovery mechanisms. Storm-2949's approach shows how attackers can chain multiple techniques to bypass standard defenses. For businesses, a single compromised account can lead to data breaches, financial loss and reputational damage. The sophistication of this campaign underscores the need for proactive security measures beyond basic password hygiene.

Microsoft is actively working to disrupt the group's infrastructure. Users should remain vigilant and review their account security settings immediately.