How Storm-0501 is Pivoting to Cloud-Native Attacks
According to a report by Microsoft Threat Intelligence, the group Storm-0501 has shifted its focus from traditional on-premises ransomware campaigns to tactics centered on cloud services. Whereas in the past attackers deployed encryptors onto victims’ computers and servers, they now operate without conventional malware. By exploiting the built-in capabilities of cloud platforms, they rapidly exfiltrate massive volumes of data, erase both originals and backups, and then issue ransom demands.
Storm-0501 is no newcomer and is well known for its adaptability. In 2021, the group targeted U.S. school districts with Sabbath ransomware; in 2023, it pivoted to the healthcare sector; and in 2024, it deployed Embargo. In September of that same year, Microsoft described how the attackers expanded into hybrid cloud infrastructures, using Active Directory compromises as a springboard into Microsoft Entra ID, ultimately seizing global administrator privileges.
In their latest campaign, the victim was a large enterprise with a complex web of subsidiaries. Each branch maintained its own Active Directory domain and separate Azure tenant, complicating defense and creating blind spots due to uneven deployment of Microsoft Defender. The attackers exploited this fragmentation, embedding themselves in environments lacking security agents and employing stealthy lateral movement. Tools and techniques included Evil-WinRM for remote PowerShell execution, DCSync attacks to steal password hashes, and active probing of security services to evade detection.
A pivotal step was their exploitation of Entra Connect Sync servers. Through these, Storm-0501 mapped the full scope of cloud resources and discovered a critical account lacking multi-factor authentication (MFA) yet endowed with global administrator rights. By resetting the domain-level password — automatically synchronized to the cloud — the attackers attached their own MFA method and entered the Azure portal with elevated privileges. To further entrench themselves, they added a controlled federated domain via AADInternals, enabling logins as any user and the generation of SAML tokens at will.
Once inside Azure, they escalated their privileges by assigning themselves User Access Administrator and Owner roles across all subscriptions. From there, they conducted reconnaissance with AzureHound, mapping infrastructure and identifying backup storage. Upon discovery, they exposed storage accounts to the public and exfiltrated their contents using AzCopy. Keys for these repositories were stolen via Azure Storage key-management operations.
The campaign culminated in widespread destruction. Attackers deleted virtual machine snapshots, recovery points, backup containers, and even entire Azure Storage accounts. Where immutability policies or resource locks stood in the way, they attempted to disable them; failing that, they encrypted data by generating their own key in Azure Key Vault and enforcing it through encryption scopes. Finally, Storm-0501 contacted the victim directly via Microsoft Teams, leveraging the compromised account to deliver their ransom demands.
Microsoft stresses that recent security improvements — including restricted privileges for Entra Connect sync accounts introduced in May 2025, as well as enhanced authentication methods — substantially reduce the risk of such attacks. The company advises enabling MFA universally, particularly for administrators; adhering to the principle of least privilege; protecting Entra Connect servers with TPM modules; and ensuring full endpoint coverage. For cloud resources, organizations should enable monitoring, enforce storage immutability and lock policies, and eliminate anonymous access to containers. Collectively, these measures complicate an adversary’s ability to pivot from local compromise to the cloud and significantly lower the likelihood of catastrophic data loss.
