As Long As Users Hold Passwords, They're Targets

Colin Duffy

June 12, 2026

Breach Management 2026 SSPR

The User is the Target.

Enterprise-Managed Credentials Take Them Out of Focus.

Every major credential-based attack follows the same path: find the weakest point in the governance model, and apply pressure there. For organizations running Entra ID SSPR in a standard configuration, that point is the user. Not because users are careless. The architecture places them in the decision seat at exactly the moment an attacker needs them to be wrong. Storm-2949 did not exploit a flaw in Microsoft's code. It exploited a flaw in how organizations assign credential reset authority. The May 2026 attack chain Microsoft documented is the clearest illustration of that exposure yet. One call, one approved prompt, and credential reset authority transferred to the attacker. MFA was present throughout and made no difference. MFA verifies that someone approved a prompt, not that the person understood who was asking. If the governance model is the problem, the question is not how to harden SSPR. It is how to remove the user from the reset path entirely.

Key Takeaway

Storm-2949 succeeded not because Entra ID was misconfigured, but because credential reset authority placed at the user level will always be reachable through social engineering, regardless of what authentication controls sit in front of it.

Quick Summary

  • The user-as-custodian model places credential reset authority where social engineering can always reach it. Storm-2949 proved this at scale in May 2026.
  • Storm-2949 used Entra ID SSPR and social engineering to compromise IT staff and senior leadership accounts with no malware and no zero-day required.
  • MFA was active throughout. It did not stop the attack. MFA verifies access, not understanding. That distinction is the gap.
  • Once in: password reset, all authentication methods stripped, attacker device enrolled. No self-recovery path for the user, and no fast coordinated response available to the organization. Three more accounts followed.
  • Post-access: Microsoft Graph API enumeration, OneDrive and SharePoint exfiltration, lateral movement across Azure. The attacker's window stayed open because recovery depended on individual user action, account by account.
  • Bravura Pass removes the user from the credential lifecycle and gives administrators Mass Password Reset capability, so recovery is a single enterprise action, not a per-user process the attacker can outpace.

The Governance Model Is the Attack Surface

Most identity security frameworks treat credential reset as a recovery function. It is not. It is an account takeover path. Whoever can satisfy the reset flow controls the account. SSPR governance at the user level means the account is one successful social engineering interaction away from full compromise, not because SSPR is broken, but because it works exactly as designed. The architecture is the exposure.

  • SSPR sits directly on the account takeover path. The reset flow and the compromise path are the same path. Governance determines which one it becomes.
  • MFA verifies that a registered device approved a prompt. It does not verify that the human behind the device understood the request, or made an informed decision. That gap is the opening Storm-2949 used.
  • Privileged accounts carry the highest blast radius. IT staff and executives with SSPR exposure give an attacker enterprise-wide access in one move. Targeting them was not opportunistic. It was logical.
  • The failure is not a misconfiguration. An organization can follow every Microsoft best practice and still have this exposure. The governance model is the gap, not the implementation.
  • Security must operate as a system, not a toolset. A toolset deploys MFA and SSPR independently and assumes they compensate for each other. A systems approach asks what happens when one layer is socially engineered past the other.
  • Non-human accounts carry a related but distinct exposure. Storm-2949's post-compromise Graph API enumeration targeted service principals, accounts that typically have no SSPR registration at all, making them invisible to user-level governance models entirely.

User-Level vs. Enterprise-Level Credential Governance

Criterion

User-level governance

Enterprise-level governance

Reset authority

User approves via registered method

Enterprise policy controls rotation and delivery

Social engineering exposure

High: one call can override the reset path

Low: user approval removed from the reset path

Non-human account coverage

None: service accounts have no SSPR registration

Policy-driven rotation independent of user action

IT staff reset assistance

Requires Helpdesk Administrator role, a Microsoft-classified privileged role with documented lateral movement risk; PIM mitigates but does not eliminate

Delegated administration: no Entra ID role assigned; policy-scoped within Bravura Pass; fully auditable; no directory-level privileges held

Audit trail

Event log only

Policy-enforced, auditable lifecycle record

Breach containment speed

Per-user recovery: each account requires individual action; attacker's window stays open

Mass reset: administrator scopes and executes across any population in minutes; credentials delivered to vault

What Storm-2949 Did

The Storm-2949 attack chain is documented by Microsoft's Threat Intelligence team. It is worth understanding in sequence, because each step only succeeded because the previous one was not interrupted, and none of those steps required a vulnerability. The attacker needed a governance model that placed a human in the decision seat. Entra ID SSPR in a standard configuration provided exactly that.

  • Storm-2949 targeted IT staff and senior leadership specifically, the accounts most likely to hold privileged Azure RBAC assignments and the widest downstream access.
  • Attackers initiated the SSPR process on behalf of the target from the public-facing reset portal, no authentication required, then called simultaneously, posing as internal IT support requesting routine account verification.
  • Targets approved MFA prompts. The prompt was real. The reset was real. The caller was not.
  • Attacker reset the password, stripped all registered authentication methods, and enrolled their own device. The legitimate user had no self-recovery path, and critically, the organization had no fast way to know which accounts had been compromised or to execute a coordinated response. Each affected account required individual, manual intervention while the attacker was already moving.
  • Post-access: Microsoft Graph API with a custom Python script enumerated users, roles, applications, and service principals across the tenant. Three additional accounts were compromised using the same SSPR technique, each one requiring the same manual recovery process, each one widening the attacker's window.
  • OneDrive and SharePoint surfaced IT documentation including VPN configurations and remote access procedures, staging for further network-level movement.

The Containment Gap

The Storm-2949 breach did not end when the first account was compromised. It continued because the organization had no mechanism to execute a rapid, coordinated credential reset across affected accounts. In a user-managed credential model, post-breach recovery depends on each user individually re-engaging with the recovery process, the same process the attacker just exploited. That is a structural containment failure, not an operational one.

Mass Password Reset capability changes this entirely. When an administrator detects or suspects compromise, they can scope and execute a coordinated reset across all affected accounts directly from Bravura Pass. Policy generates new credentials and delivers them through Bravura Safe — an enterprise vault that holds decentralized credentials and auto-fills them on demand — to each user's account. No user action is required to complete recovery. The attacker's window is bounded by administrative response time, not user recovery time.

This Is Not an Isolated Incident

Storm-2949 is not a new technique. It is a new instance of a technique that has been used reliably since at least 2022, by different groups, against different industries, producing the same outcome. The reason it keeps working is not that defenders are careless. It is that the governance model keeps providing the opening. Every organization that has been hit by this class of attack had MFA enabled. None of them had removed the user from the credential reset path.

  • September 2023, MGM Resorts: Scattered Spider used LinkedIn to identify an employee, called the MGM IT help desk, and gained administrator privileges to MGM's Okta and Azure environments in a ten-minute phone call. The help desk agent who took that call held sufficient access to provision admin credentials. MFA was in place throughout.
  • September 2023, Caesars Entertainment: The same group used social engineering against an outsourced IT support vendor days earlier. Caesars paid approximately $15 million in ransom to contain the damage.
  • April 2025, Marks and Spencer: Attackers impersonated an M&S employee, called a third-party service desk - M&S had outsourced its IT support function - and obtained a credential reset. The credential reset authority, and the risk that came with it, traveled with the outsourced function. With those credentials they exfiltrated the Windows domain controller's Active Directory database and deployed ransomware across 1,049 stores. MFA was bypassed through the same social engineering entry point.
  • The common thread across all three, and Storm-2949, is not a vulnerability in any product. It is a governance model that places a human in the credential reset decision seat at the moment the attacker needs them to be wrong. Hardening individual controls has not broken this pattern. Every group adapted. The technique persists because the model persists.
  • The only response that breaks the pattern at its root is removing the human decision from the reset path entirely. That is not a configuration change. It is an architectural one.

Customer Success Stories

What To Do About It

The instinct after Storm-2949 is to harden SSPR. Require stronger MFA. Audit registrations. Scope administrative units. Those steps reduce exposure within the current model. They do not change it. The model is the problem. As long as the user is the custodian of the credential, SSPR is the primary recovery path, and that path will always be reachable through social engineering. The right response is not a safer SSPR. It is an architecture where SSPR is the anomaly, not the norm.

Immediate Step: Contain the Acute Exposure

There are two steps worth taking now, before addressing the structural condition. Neither requires a long project.

  • Require phishing-resistant MFA for privileged accounts. Standard push notifications are vulnerable to the exact technique Storm-2949 used, a call at the moment the prompt appears. FIDO2 security keys and passkeys cannot be approved through a phone call. This is not a fix for the governance model. It is a bridge while you address it, and it works with whatever MFA platform you already run.
  • Establish a coordinated credential reset capability. Storm-2949's breach expanded across four accounts not because the attacker was fast, but because the organization had no way to execute a rapid, scoped response. In a user-managed credential model, post-breach recovery requires each affected user to individually navigate the recovery process — the same process the attacker exploited. Mass Password Reset in Bravura Pass lets an administrator scope and execute a coordinated reset across any defined population in minutes. New credentials go directly to each user's Bravura Safe vault. No user action required. The attacker's window is bounded by administrative response time, not user recovery time.

The Strategic Direction: Make SSPR the Exception

The structural answer to Storm-2949 is not a better version of the model it exploited. It is a model where end users do not hold credentials in the first place.

  • Enterprise-managed passwords remove the user from the credential lifecycle entirely. Bravura Pass generates, rotates, and delivers credentials through policy. It pushes new passwords directly to each user's Bravura Safe vault and autofills them on demand. The user never knows the password. If the user never knows the password, there is nothing to social-engineer them into resetting.
  • In this model, SSPR becomes the anomaly, the edge case that exists for the rare scenario where automated delivery fails, not the primary recovery path every user relies on. A social engineering call targeting an SSPR flow has no viable payload when the user has no credential to reset and no reason to expect a reset prompt.
  • Help desk-assisted resets shift from a routine operation to an audited exception. When they do occur, delegated administration in Bravura Pass handles them without requiring IT staff to hold any Entra ID privileged role. The exception is governed. The norm is automated.
  • The transition does not require replacing Entra ID or rebuilding identity infrastructure. Bravura Pass works alongside Entra ID. The shift is in who owns the credential lifecycle, from the user, to the enterprise.

How Bravura Pass Changes the Model

Bravura Pass works alongside Entra ID. It does not replace it. Entra ID manages identity and access. Bravura Pass manages how credentials are created, rotated, and delivered: at the enterprise level, through policy, not user action. The shift is not in the tools an organization runs. It is in who owns the credential lifecycle.

Bravura Pass operates across hybrid environments. Organizations running on-premises Active Directory alongside Entra ID apply consistent credential governance across both, covering the credentials Microsoft tools cannot reach. It integrates with Duo, Okta Verify, Microsoft Authenticator, and all major enterprise MFA providers. The governance layer does not require replacing existing authentication infrastructure. 

A Note on MFA Coverage - If you thought "We have MFA. We are covered."

Storm-2949 succeeded against organizations with MFA enabled. The failure was not MFA absence. It was that the governance model placed the reset decision with the user, and MFA did not change that. Coverage is the right benchmark. The question is not whether MFA is present. It is whether the governance model removes the user from the reset path entirely.

When This Does Not Apply

This post addresses Entra ID SSPR governance for organizations running Microsoft cloud identity, including hybrid tenants with on-premises Active Directory. If your organization does not use Entra ID SSPR, the Storm-2949 attack path described here does not apply directly. However, the underlying condition — that user-level credential reset authority carries social engineering risk — applies to any SSPR implementation regardless of platform.

Continue Reading

Microsoft is now responding to the governance gap Storm-2949 exposed. Starting September 7, 2026, Entra ID changes how it handles authentication methods for SSPR verification. Read our next post to understand what the change does, what it still does not fix, and what your team needs to do before the deadline.

 

See how Bravura Pass moves credential lifecycle ownership to the enterprise.

Book a session with our team to walk through your credential governance posture.

 

Bravura Security - Frequently Asked Questions

Frequently Asked Questions

Bravura Security - Enterprise Password Management

Did Storm-2949 exploit a vulnerability in Entra ID?

No. Microsoft's own investigation found no patch gap or misconfiguration. The attack used legitimate Entra ID SSPR features in sequence with social engineering. The SSPR flow completed exactly as designed. That is the point: a correctly functioning system produced a complete account takeover. LINK TEXT

Is MFA enough to stop this type of attack?

Standard MFA push notifications are not sufficient against social engineering at the moment of the prompt. Storm-2949 called users as the prompt appeared. Phishing-resistant MFA (FIDO2 or passkeys) breaks that technique. But MFA of any kind does not address the governance model. It hardens one link in a chain that has other links. LINK TEXT

Should we disable SSPR after Storm-2949?

The better question is: how do you make SSPR irrelevant? In an enterprise-managed credential model, users retrieve their current password from Bravura Safe and autofill it. There is nothing to forget and nothing to reset. SSPR becomes an edge case, reserved for genuine exceptions like device loss, rather than the primary recovery path the entire credential architecture depends on. Disabling SSPR without addressing the underlying model just moves the problem to the help desk. LINK TEXT

Why did Storm-2949 target IT staff specifically?

IT staff hold the widest downstream access in most Entra ID environments. To assist users with resets natively, they must hold the Helpdesk Administrator role, a role Microsoft classifies as privileged, with a documented lateral movement path to application-level credential manipulation. PIM can gate activation, but the role still carries directory-level risk for the duration of every support session. Removing the need for that role removes the targeting rationale entirely. LINK TEXT

What makes privileged accounts a higher-priority target?

Privileged accounts carry wider downstream access, and a compromised IT administrator account gives an attacker the same reach as the administrator. Storm-2949 targeted IT staff first for exactly this reason. But in an enterprise-managed credential model, administrator passwords are also generated by policy and rotated on schedule. The same condition that removes social engineering risk for standard users removes it for the accounts with the highest blast radius too. LINK TEXT

Related Articles