Compromising Azure this way is an alarming turn of events, since crooks can gain owner role across subscriptions, map critical assets using AzureHound, exfiltrate data via AzCopy CLI, delete backups and storage using Azure operations and, in some instances, even encrypt the files using custom Azure Key Vault keys.

Attacking the cloud rather than on-prem infrastructure allows for faster data exfiltration, as well as the destruction of backups. Adding insult to injury, it also allows them to reach out to their victims via Microsoft Teams to and demand a ransom payment.

“Leveraging cloud-native capabilities, Storm-0501 rapidly exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom — all without relying on traditional malware deployment,” Microsoft wrote.

To mitigate the threat, businesses should – before doing anything else – enforce MFA for all users, especially for privileged accounts. Then, they should restrict Directory Synchronisation Account permissions, use TPM on Entra Connect Sync Servers, and apply Azure resource locks and immutability policies.

Finally, Microsoft advises enabling Defender for Endpoint and Defender for Cloud across all tenants, and naturally – monitoring with Azure activity logs and advanced hunting queries.