Storm-0501 then used stolen Directory Synchronization Accounts (DSAs) to enumerate users, roles, and Azure resources with tools such as AzureHound. The attackers eventually discovered a Global Administrator account that lacked multifactor authentication, allowing them to reset its password and gain complete administrative control. With these privileges, they established persistence by adding malicious federated domains under their control, enabling them to impersonate almost any user and bypass MFA protections in the domain. Microsoft says they escalated their access further into Azure by abusing the Microsoft.Authorization/elevateAccess/action, which allowed them to ultimately assign themselves to Owner roles, effectively taking over the victim’s entire Azure environment.
Contact us : 0915579536
Or on the website digitalonion.ly
Visit us at our company address: Tripoli – Andalus Street – Next to the Iraqi Embassy.
Leave a Reply