Notifications
Clear all
Topic starter
22/06/2026 10:15 am
TL;DR: Storm-2949 used Entra ID SSPR and social engineering to take over privileged Microsoft accounts without malware or a zero-day, and MFA did not stop the reset flow, according to Bravura Security. The breach shows that user-held credential reset authority is itself the attack surface, because approval confirms interaction, not understanding.
NHIMG editorial — based on content published by Bravura Security: Storm-2949 and the governance flaw in Entra ID SSPR
Questions worth separating out
Q: What breaks when users are allowed to authorise their own credential resets?
A: The reset path becomes an account takeover path.
Q: Why do privileged accounts increase the impact of SSPR abuse?
A: Privileged accounts carry the largest downstream access, so the same social engineering call can unlock tenant-wide permissions, data access, and administrative reach.
Q: What do security teams get wrong about MFA in credential reset flows?
A: They treat MFA as proof of informed consent.
Practitioner guidance
- Remove privileged users from the reset decision path Move high-risk accounts to enterprise-controlled recovery workflows so a social engineering call cannot translate directly into credential replacement or method re-enrolment.
- Separate human recovery from non-human lifecycle control Manage service principals, API keys, and other non-human identities through independent lifecycle processes, because SSPR provides no coverage for those identities.
- Tighten recovery for help desk and admin roles Require phishing-resistant MFA and explicit approval chains for any role that can assist with resets, especially where directory-wide privileges or delegated support access exist.
What's in the full article
Bravura Security's full analysis covers the operational detail this post intentionally leaves for the source:
- Step-by-step description of the Storm-2949 reset sequence across SSPR, MFA approval, password change, and device enrolment
- The Microsoft-specific admin and support roles involved in recovery and why they created lateral movement risk
- The enterprise reset and vault-delivery workflow Bravura Pass uses to replace per-user recovery with coordinated remediation
- The source article's full comparison of user-held versus enterprise-held credential custody across hybrid environments
👉 Read Bravura Security's analysis of Storm-2949 and Entra ID SSPR abuse →
Credential reset authority is the gap SSPR leaves open?
Explore further
22/06/2026 11:04 am
Credential reset authority is a governance decision, not a convenience feature. The Storm-2949 chain worked because the organisation allowed a user-level decision to stand in for enterprise recovery control. That is an IAM design choice with blast-radius consequences, not a Microsoft implementation flaw. The implication is that reset governance has to be treated as a security boundary in its own right.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for human identities, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who should control recovery for high-risk identities?
A: Enterprise policy should control recovery for privileged human accounts and all non-human identities should follow separate lifecycle governance. That keeps recovery decisions away from the person under pressure and avoids assuming that the same workflow can safely govern users, service accounts, and automation credentials.
👉 Read our full editorial: Storm-2949 shows credential reset governance is the real exposure
