Configure → Drift → Breach → Repeat: The Cycle of Cybersecurity Control Configuration Risk
Get the report
The Microsoft Defender Security Research Team and Microsoft Threat Intelligence documented a campaign in which Storm-2949 abused Microsoft Entra ID accounts to exfiltrate data from Microsoft 365 and Azure environments. The attack path depended on a chain of security control gaps across identity, SharePoint access, endpoint protection, application control, and event visibility. Each misconfigured security control gave the attackers an opening and more room to move after the initial identity compromise. We took a closer look at the security controls mapped directly to the steps that Storm-2949 actually executed, and how proper configuration could have likely thwarted forward progress for Storm-2949.
This growing issue not only increases an organization’s exposure to potential cyberattacks but also wastes money and time spent by security analysts chasing down alerts that could have been stopped upstream. By understanding the implications of security debt and implementing strategies for security hardening, organizations of all sizes can minimize risk and maximize their return on investment.
n April 22, 2026, Google's Threat Intelligence Group and Mandiant disclosed a campaign by a threat actor they're tracking as UNC6692. What's notable about UNC6692 is what they didn't do. They didn't use a zero-day. They didn't exploit a software vulnerability. They didn't bypass any of the security controls Microsoft has built into Teams. They used the controls as configured.
To join the community of customers enjoying the benefits of Reach and learn more about how it can transform your security posture, visit:
