Storm-2949 shows credential reset governance is the real exposure

At a glance

What this is: This is an analysis of how Storm-2949 abused Entra ID SSPR governance to turn credential reset into an account takeover path.

Why it matters: It matters because IAM, PAM, and lifecycle teams must treat reset authority as a governance decision across human and non-human identities, not as a convenience feature.

👉 Read Bravura Security's analysis of Storm-2949 and Entra ID SSPR abuse

Context

Credential reset governance is the part of IAM that decides who can regain access when an account is challenged, lost, or compromised. In this case, the problem is not a broken Microsoft control, but a model that places reset authority with the user at the exact point social engineering can exploit it.

Storm-2949 shows why that matters for identity programmes that mix human administration, privileged access, and downstream non-human accounts. If the user can be persuaded to approve the reset, the reset path and the compromise path become the same path, which makes containment a governance problem as much as a detection problem.

Key questions

Q: What breaks when users are allowed to authorise their own credential resets?

A: The reset path becomes an account takeover path. If a caller can socially engineer the user into approving recovery, the organisation has effectively delegated credential custody to the least reliable moment in the chain. That failure is most dangerous for privileged accounts because one successful reset can expose far more than a single mailbox or app login.

Q: Why do privileged accounts increase the impact of SSPR abuse?

A: Privileged accounts carry the largest downstream access, so the same social engineering call can unlock tenant-wide permissions, data access, and administrative reach. In practice, the breach is not just about obtaining a password. It is about converting a single reset into a broad compromise window before containment can begin.

Q: What do security teams get wrong about MFA in credential reset flows?

A: They treat MFA as proof of informed consent. In reality, MFA only proves that a prompt was approved from a registered factor. It does not prove that the user understood the caller, the context, or the consequence of the reset, which is why social engineering still succeeds.

Q: Who should control recovery for high-risk identities?

A: Enterprise policy should control recovery for privileged human accounts and all non-human identities should follow separate lifecycle governance. That keeps recovery decisions away from the person under pressure and avoids assuming that the same workflow can safely govern users, service accounts, and automation credentials.

Technical breakdown

How SSPR becomes an account takeover path

Self-service password reset works by letting a registered user satisfy one or more verification factors and then re-establish credential access. The security assumption is that the person completing the prompt is also the person making an informed decision. Storm-2949 exploited the gap between authentication and understanding. MFA proved presence at the moment of approval, but not intent, identity context, or caller legitimacy. Once the attacker won the reset interaction, password change, method removal, and device enrolment followed as legitimate administrative actions.

Practical implication: treat SSPR as a privileged recovery path and reduce who can exercise it without additional governance.

Why user-held reset authority fails in privileged environments

When credential reset authority sits with the end user, the organisation inherits a social engineering exposure that scales with the value of the account. Privileged users are not just more important targets, they are the fastest route to broad tenant access because their reset actions can unlock downstream administrative permissions. The model also breaks containment because each compromised account must be recovered individually. That creates a recovery race the attacker can keep winning while they enumerate Graph API data or move laterally.

Practical implication: separate reset authority from account custody for privileged users and define enterprise-scoped recovery workflows.

Why non-human accounts are invisible to user-level governance

Service principals, automation accounts, and other non-human identities do not participate in SSPR at all, which means user-centric recovery models do not govern them. That matters because once attackers obtain tenant access, they often enumerate these identities to extend persistence and access. A programme that only measures human reset workflows misses the real blast radius of post-compromise identity discovery. User governance and machine governance are different control surfaces, even when they sit in the same directory.

Practical implication: map user reset controls separately from non-human identity lifecycle controls so coverage gaps do not hide behind a single IAM dashboard.

Threat narrative

Attacker objective: The objective was tenant-wide access to privileged Microsoft accounts and the data and administrative reach those accounts exposed.

1. Entry occurred when attackers used social engineering to initiate an Entra ID SSPR flow against IT staff and senior leadership accounts from the public reset portal.
2. Escalation occurred when targets approved MFA prompts, after which the attacker reset passwords, removed authentication methods, and enrolled their own device.
3. Impact followed through Microsoft Graph API enumeration, OneDrive and SharePoint exfiltration, and lateral movement across Azure and additional accounts.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Credential reset authority is a governance decision, not a convenience feature. The Storm-2949 chain worked because the organisation allowed a user-level decision to stand in for enterprise recovery control. That is an IAM design choice with blast-radius consequences, not a Microsoft implementation flaw. The implication is that reset governance has to be treated as a security boundary in its own right.

Reset flows built for human-paced trust collapse under social engineering pressure. MFA validates that someone approved a prompt, but not that they understood the caller, the request, or the surrounding context. This breach proves that the approval step can become the compromise step when the user remains the custodian of the credential. Practitioners should read this as a failure of the decision model, not the authentication factor.

User-owned recovery cannot safely govern privileged access. Accounts with wide Azure and Microsoft 365 reach should not depend on an end user to re-establish their own credentials during an attack. The breach shows how a single approval can unlock password reset, method stripping, and device enrolment. That sequence creates an identity blast radius that is larger than most access review programmes assume.

Service principal discovery turns a human reset failure into an NHI exposure story. Once attackers reached tenant data, they enumerated non-human identities that sit outside SSPR entirely. That is why this class of breach is not just about one broken user workflow. It exposes a programme that separates human recovery, privileged access, and machine identity lifecycle as if they were independent problems.

Storm-2949 reinforces a named failure mode: user-mediated credential custody. The governance assumption was that the person holding the account could also safely decide when to reset it. That assumption was designed for low-pressure self-service. It fails when attackers can reach the decision seat through a phone call, and the implication is that organisations must rethink who is allowed to authorise recovery at all.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for human identities, according to The State of Non-Human Identity Security.
• If user reset paths remain exposed, visibility into connected identities becomes the next control question, as explored in The 52 NHI breaches Report.

What this signals

User-mediated credential custody: this breach sharpens the case for removing end users from any recovery workflow that can be reached by social engineering. Organisations that keep SSPR as the default for privileged accounts should expect attackers to keep targeting the decision seat, not the code path.

The next programme question is not whether MFA exists, but whether the recovery architecture allows a single human approval to convert into administrative control. That is a lifecycle and governance issue that spans privileged access, help desk process design, and non-human identity containment.

Teams that manage both human and machine identities should expect the same governance blind spots to recur where recovery is treated as a user convenience. The practical test is whether an attacker can still profit from a prompt, a phone call, or a delegated support function before containment completes.

For practitioners

• Remove privileged users from the reset decision path Move high-risk accounts to enterprise-controlled recovery workflows so a social engineering call cannot translate directly into credential replacement or method re-enrolment.
• Separate human recovery from non-human lifecycle control Manage service principals, API keys, and other non-human identities through independent lifecycle processes, because SSPR provides no coverage for those identities.
• Tighten recovery for help desk and admin roles Require phishing-resistant MFA and explicit approval chains for any role that can assist with resets, especially where directory-wide privileges or delegated support access exist.
• Build mass containment for suspected compromise Define a coordinated reset process that can scope affected accounts quickly, because per-user recovery lets an active attacker stay ahead of manual remediation.

Key takeaways

• Storm-2949 shows that credential reset governance can be the real attack surface even when MFA is present.
• The breach demonstrates how a single socially engineered approval can unlock password reset, method stripping, device enrolment, and lateral movement.
• The control that would have mattered most was enterprise ownership of recovery, not a stronger version of the same user-mediated flow.

Key terms

• Credential reset governance: The policy and process that determine who can regain access after an account is challenged or lost. In identity security, this is not just a support function. It is a control boundary that can either contain compromise or become the path an attacker uses to take over the account.
• User-mediated credential custody: A model where the end user is the primary custodian of password recovery and re-authentication decisions. It is convenient for self-service, but it creates a social engineering target that attackers can reach directly, especially when the user controls privileged access or can approve reset prompts.
• Identity blast radius: The amount of access, data, and administrative reach that can be exposed when a single identity is compromised. For privileged accounts and delegated support roles, blast radius is the real risk metric because a small credential event can become a tenant-wide incident.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Bravura Security: Storm-2949 and the governance flaw in Entra ID SSPR. Read the original.