Storm-0501 in hybrid clouds: what NHI teams are missing

TL;DR: Storm-0501 has used weak credentials and over-privileged accounts to move from on-premises systems into cloud platforms, showing how unmanaged non-human identities can enable persistent lateral movement across hybrid environments, according to Oasis Security. The real failure is not just exposure, but governance that assumes machine access stays visible, owned, and reviewable long enough to be controlled.

NHIMG editorial — based on content published by Oasis Security: Storm-0501 and the rising threat to non-human identities in hybrid clouds

By the numbers:

• NHIs now outnumber human identities on average by a factor to 20, according to recent research by ESG.

Questions worth separating out

Q: What breaks when hybrid-cloud service accounts are over-privileged?

A: Over-privileged hybrid-cloud service accounts let attackers reuse trusted access paths instead of escalating from scratch.

Q: Why do stale non-human identities increase lateral movement risk?

A: Stale non-human identities remain valid after the business or technical need has changed, so they become persistence points for attackers.

Q: How do security teams know if machine identities are crossing trust boundaries safely?

A: Teams should verify whether each machine identity has a documented owner, a narrow scope, and a clear boundary for where it can authenticate and what it can change.

Practitioner guidance

• Reconcile all bridge identities Inventory every non-human identity that connects on-premises systems to cloud platforms, including sync accounts, service accounts, and delegated tokens.
• Scope Entra Connect and similar sync accounts tightly Remove broad permissions from directory sync and integration accounts, and separate sync duties from administrative duties.
• Retire stale accounts as part of system decommissioning Tie machine-identity offboarding to server retirement, application replacement, and relationship change.

What's in the full article

Oasis Security's full blog post covers the operational detail this post intentionally leaves for the source:

• The specific hybrid-cloud attack sequence used by Storm-0501, including the on-premises foothold and subsequent cloud movement.
• Examples of the NHI discovery and context reconstruction workflow the vendor describes for tracing service-account risk.
• The posture-detection signals the vendor associates with excessive permissions, unrotated secrets, and anomalous access.
• The remediation workflow for policy-driven lifecycle management and automated response across machine identities.

👉 Read Oasis Security's analysis of Storm-0501 and hybrid-cloud NHI risk →

Storm-0501 in hybrid clouds: what NHI teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →