threat level: human

The Trust Boundary: How Attackers Ride Your Vendors and Tools Into the Core

EP07| 2026-07-08| cybersecurity briefing

// TL;DR

  • Identity: who in your organization can reset credentials and enroll authentication devices, and is that action…
  • Vendor: which third parties currently hold execution rights on your critical systems, and when did you last review…
  • Operating system: do you know every network provider and authentication package registered on your domain…

What happened

In May 2026, Microsoft published two investigations that describe the same problem from two angles. In the first, a threat actor Microsoft tracks as Storm-2949 turned one compromised identity into a cloud-wide breach, exfiltrating thousands of files and dozens of stored secrets.

It starts with one identity. Storm-2949 impersonated internal IT support, told users their accounts needed urgent verification, and walked them through approving multifactor prompts during a password reset. Once a user approved, the attacker reset the password, stripped the existing authentication methods, and enrolled their own device.

None of this worked because of a clever exploit. It worked because trust has no signature for your tools to detect. Start with the human at the help desk. Self-service password reset exists for a good reason, to help locked-out employees without a support queue. The attacker did not defeat that feature.

The consequences were not theoretical. Storm-2949 reached production Azure subscriptions, changed the password on the main production application to lock the owners out, and exfiltrated data from storage accounts over multiple days. In the second case, both domain controllers were harvesting credentials during normal sign-ins, and the intruders proved how durable that access was.

How to defend against it

The through-line of every threat level: human briefing is the same: the exploited control is human, so the durable defense is a habit, not just a product. Watch the full breakdown above, and subscribe on YouTube for the weekly decode.

Sources

Primary reporting and reference material for this briefing.

<- back to all episodes