CyberSecurityBoard
Sponsor Register Login

Storm-0501 Exploits Microsoft Entra ID to Target US Government Organizations

Storm-0501, a sophisticated Chinese state-sponsored hacking group, has been actively exploiting vulnerabilities in Microsoft Entra ID to infiltrate US government organizations. This campaign highlights the increasing threat posed by advanced persistent threat (APT) groups leveraging identity and access management platforms to gain unauthorized access to sensitive data. The attackers use a combination of social engineering, zero-day exploits, and credential theft to bypass security controls and establish persistent footholds within targeted networks. Microsoft Entra ID, formerly known as Azure Active Directory, is a widely used identity management service that provides authentication and authorization for cloud applications. Storm-0501's exploitation of this platform underscores the critical need for robust security measures, including multi-factor authentication, continuous monitoring, and timely patching of vulnerabilities. The campaign's focus on US government entities suggests a strategic intent to gather intelligence and disrupt operations. Security experts recommend organizations to audit their Entra ID configurations, implement least privilege access principles, and enhance threat detection capabilities to mitigate such risks. This incident serves as a stark reminder of the evolving tactics employed by nation-state actors and the importance of proactive cybersecurity defenses to protect critical infrastructure and sensitive information from sophisticated cyber threats.

This Cyber News was published on thehackernews.com. Publication date: Thu, 28 Aug 2025 01:59:03 +0000


Cyber News related to Storm-0501 Exploits Microsoft Entra ID to Target US Government Organizations

Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
2 years ago Microsoft.com
How to manage a migration to Microsoft Entra ID - Microsoft Entra ID, formerly Azure Active Directory, is not a direct replacement for on-premises Active Directory due to feature gaps and alternative ways to perform similar identity and access management tasks. For some organizations, a move to ...
2 years ago Techtarget.com
How to secure on-prem apps with Entra Application Proxy - If your internal web applications are still internet-facing, then it's time to move away from turning your firewall into Swiss cheese just to externalize apps for your users. To reduce the attack surface, a traditional method, such as a VPN, has its ...
1 year ago Techtarget.com
New Microsoft Incident Response guides help security teams analyze suspicious activity - Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for ...
2 years ago Microsoft.com
Storm-0501 Exploits Microsoft Entra ID to Target US Government Organizations - Storm-0501, a sophisticated Chinese state-sponsored hacking group, has been actively exploiting vulnerabilities in Microsoft Entra ID to infiltrate US government organizations. This campaign highlights the increasing threat posed by advanced ...
4 months ago Thehackernews.com CVE-2025-12345 Storm-0501
Financially motivated threat actors misusing App Installer - Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme to distribute malware. In ...
2 years ago Microsoft.com Black Basta
Microsoft Breach - How Can I See This In BloodHound? - On January 25, 2024, Microsoft announced Russia's foreign intelligence service breached their corporate EntraID environment. We reviewed the information Microsoft's team provided in their post which contained details significant enough to explain ...
1 year ago Securityboulevard.com
Microsoft Targets Threat Group Behind Fake Accounts - Microsoft seized parts of the infrastructure of a prolific Vietnam-based threat group that the IT giant said was responsible for creating as many as 750 million fraudulent Microsoft accounts that were then sold to other bad actors and used to launch ...
2 years ago Securityboulevard.com APT29 Scattered Spider
Microsoft Unveils Storm-0501’s Sophisticated Espionage Campaign Targeting Asia - Microsoft has recently disclosed a sophisticated cyber espionage campaign named Storm-0501, primarily targeting organizations across Asia. This campaign is attributed to a threat actor group known for advanced persistent threats (APT). Storm-0501 ...
4 months ago Cybersecuritynews.com CVE-2023-23397 CVE-2023-28252 Storm-0501
Microsoft Addresses Entra ID Token Logging Issue, Alerts to Protect Users - Microsoft has acknowledged a recent issue that triggered widespread alerts in its Entra ID Protection system, flagging user accounts as high risk due to supposed credential leaks on the dark web. The alerts have been attributed to a combination of an ...
9 months ago Cybersecuritynews.com
Microsoft Boosts MSA Signing Service Security on Azure Following Storm-0558 Breach - “We have applied new defense-in-depth protections, migrated the Microsoft Account (MSA) signing service to run on Azure confidential VMs, and we are migrating the Entra ID signing service to Azure confidential VMs,” states the report, ...
9 months ago Cybersecuritynews.com
Microsoft: Hackers steal emails in device code phishing attacks - "The invitations lure the user into completing a device code authentication request emulating the experience of the messaging service, which provides Storm-2372 initial access to victim accounts and enables Graph API data collection activities, such ...
11 months ago Bleepingcomputer.com
Iranian Hackers Developed a New Backdoor to Hack Windows - Peach Sandstorm, an Iranian Hackers group, targets diverse sectors globally, and this group is linked to:-. Using password spray campaigns, Peach Sandstorm exhibits opportunistic behavior, with a history of relying on this tactic. This custom ...
2 years ago Cybersecuritynews.com
Microsoft Disrupts Cybercrime Service That Created 750 Million Fraudulent Accounts - Microsoft on Wednesday announced the disruption of Storm-1152, a cybercrime-as-a-service ecosystem that created 750 million fraudulent Microsoft accounts in support of phishing, identity theft, and other schemes. The CaaS is believed to have made ...
2 years ago Securityweek.com Scattered Spider
Lawmakers: Ban TikTok to Stop Election Misinformation! Same Lawmakers: Restrict How Government Addresses Election Misinformation! - In a case being heard Monday at the Supreme Court, 45 Washington lawmakers have argued that government communications with social media sites about possible election interference misinformation are illegal. Just this week the vast majority of those ...
1 year ago Eff.org
5 ways to secure identity and access for 2024 - 1 This increase is due in part to the rise of generative AI and large language models, which bring new opportunities and challenges for security professionals while affecting what we must do to secure access effectively. Learn how unified multicloud ...
2 years ago Microsoft.com
Microsoft fixes Entra ID authentication issue caused by DNS change - "Between 17:18 UTC and 18:35 UTC on 25 February 2025, customers attempting to authenticate with Microsoft Entra ID using the Seamless SSO and Microsoft Entra Connect Sync features may have experienced DNS resolution failures when trying to access ...
10 months ago Bleepingcomputer.com
Microsoft Disabled App Installer Abused by Hackers - Threat actors, particularly those with financial motivations, have been observed spreading malware via the ms-appinstaller URI scheme. As a result of this activity, Microsoft has disabled the ms-appinstaller protocol handler by default. The ...
2 years ago Cybersecuritynews.com Carbanak
Microsoft extends Purview Audit log retention after July breach - Microsoft is extending Purview Audit log retention as promised after the Chinese Storm-0558 hacking group breached dozens of Exchange and Microsoft 365 corporate and government accounts in July. The list of affected organizations included government ...
2 years ago Bleepingcomputer.com
Microsoft Warns of Ransomware Exploiting Cloud Environments with New Techniques - Microsoft Threat Intelligence researchers identified threat actor Storm-0501 utilizing enhanced capabilities for lateral movement from on-premises systems to cloud infrastructure. Storm-0501’s cloud compromise methodology begins with lateral ...
9 months ago Cybersecuritynews.com Black Basta Qilin
Storm-0501 Cloud-Based Ransomware Attack - The Storm-0501 ransomware attack represents a significant evolution in cloud-based cyber threats, targeting organizations by exploiting vulnerabilities in cloud infrastructure. This sophisticated ransomware campaign leverages advanced tactics to ...
4 months ago Darkreading.com Storm-0501
How Strata Identity and Microsoft Entra ID solve identity challenges in mergers and acquisitions - In particular, there is an immediate and profound impact on the identity and access management postures of both companies. While most combined organizations aspire to eventually consolidate their identity systems, this is a challenging and ...
2 years ago Microsoft.com
Microsoft Shuts Down a Criminal Ring Responsible for Creating Over 750 Million Fake Accounts - Microsoft Corp. has shut down a cybercrime group's US-based infrastructure, which created more than 750 million fake accounts across the company's services. Microsoft carried out the takedown with the support of Arkose Labs Inc., a venture-backed ...
2 years ago Cysecurity.news Scattered Spider
Storm-0501 hackers shift to ransomware attacks in the cloud - The Storm-0501 hacking group, previously known for espionage activities, has shifted its focus to ransomware attacks targeting cloud environments. This strategic pivot highlights the evolving threat landscape where cybercriminals exploit cloud ...
4 months ago Bleepingcomputer.com Storm-0501
Widespread Microsoft Entra lockouts tied to new security feature rollout - In a Reddit thread posted early this morning, Windows admins reported receiving multiple alerts from Entra indicating that some of their user accounts had been found with credentials leaked on the dark web or other locations. Windows administrators ...
9 months ago Bleepingcomputer.com

Latest Cyber News


    Cyber Trends (last 7 days)


    Trending Cyber News (last 7 days)