One stolen Microsoft 365 credential can unlock your whole business

Picture this: a staff member gets a call from someone claiming to be IT support. The caller walks them through resetting their Microsoft 365 password, asks them to approve an authentication prompt that looks genuine, and that’s it. Their credentials are now in the wrong hands.

That’s the premise behind Storm-2949, an attack campaign documented by Microsoft Threat Intelligence. What makes it dangerous has nothing to do with ransomware or file encryption. The danger is how quiet and methodical it is.

Once a single Microsoft 365 account is compromised, attackers expand their access step by step. They chain together password attacks, manipulate multi-factor authentication (MFA) prompts, abuse the digital keys that confirm you’re logged in, register their own devices as trusted, and exploit permission levels to go deeper into your cloud. At each stage, the activity looks entirely ordinary: sign-ins, file downloads, permission changes, storage access. Standard admin work, essentially. Without dedicated identity monitoring, those breadcrumbs disappear into normal background noise.

Why standard Microsoft 365 defaults aren’t enough

Most businesses running on Microsoft 365 rely on a password and maybe MFA if someone’s switched on enough to have turned it on. Very few have the specific monitoring in place that catches the early warning signs: unusual password resets, MFA attempts from unfamiliar locations, devices being enrolled remotely, bulk file downloads, or suspicious automated queries mapping the environment.

The second phase is worse. Once attackers hold a privileged account, they pivot into the deeper parts of your cloud: the places where connection strings and secrets are stored, your databases, storage accounts, virtual machines. In one documented case, attackers extracted dozens of secrets within four minutes of gaining privileged access. Hours later, thousands of sensitive files had left the building silently. No encryption notice, no ransom demand, no system going down. Just data moving quietly out the door.

What this means for a North Wales business

If your business runs on Microsoft 365, a single compromised account, particularly one belonging to someone with any kind of administrative role, becomes the entry point for a methodical crawl through your entire cloud setup. Shared mailboxes, SharePoint libraries, databases, backups, VPN configurations. Everything potentially exposed once attackers understand the layout.

The gap most businesses don’t know about is identity visibility. Azure Identity Protection, Microsoft’s built-in tool for spotting compromised accounts, is not switched on by default, needs proper configuration, and requires someone to be watching the alerts. It also only becomes available at the right Microsoft 365 licence tier, specifically Premium P2 or above.

The practical fixes

There is no single answer here, but the gap-closers are straightforward:

• MFA on every account that touches admin roles or sensitive data. Use an authenticator app or hardware key rather than SMS where possible. Attackers can manipulate SMS prompts; an app on a device they don’t control is harder to abuse.
• Enable and monitor Azure Identity Protection if your licence supports it, configured to flag risky sign-ins and unusual activity.
• Check your audit logs. If identity protection is not available, review your Microsoft 365 audit logs monthly for large file downloads or unexpected admin activity.
• Limit admin roles to the people who genuinely need them. A smaller number of privileged accounts means a smaller surface area for attackers to aim at.
• Keep offline backups. Immutable backups, the kind that cannot be deleted remotely, mean that even if data does leave, you are not starting from scratch. Storm-2949 is a reminder that cloud security is about controlling who can move around once they are inside, not just locking the front door. Most breaches that look sudden actually had warning signs hours or days earlier. As we covered in why the UK’s cyber threat is climbing, the NCSC’s core recommendations, MFA, access controls, and offline backups, remain the most effective things a small business can do.

The uncomfortable truth is that most Microsoft 365 tenants are not configured to catch this kind of attack. Dragon Digital handles Microsoft 365 security audits and identity monitoring for businesses across North Wales, and can tell you quickly whether your setup would catch lateral movement like this before it turns into a much bigger problem.