Financially-motivated UNC3944 gang was found using phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain access to virtual machines to steal data from victim organizations. The threat actor gains initial access to an Azure administrator’s account by using stolen credentials obtained through SMS phishing. Experts recommend organizations should restrict access to remote administration channels on all Azure services.