In the first week of June, Microsoft suffered a major outage that impacted almost all its services including Azure, Outlook and Teams. The company has now revealed that a cyberattack was behind the global outage.
In a blog post, Microsoft has revealed details about the attack in the beginning of June that caused disruption to its services and took almost 15 hours for the company to mitigate. According to the Redmond giant, the company identified a surge in traffic against some of its services and opened an investigation into the DDoS (Distributed Denial-of-Service) attack.
Microsoft further noted that the threat actors used multiple Virtual Private Servers (VPS), proxies, rented cloud infrastructure as well as DDoS tools to execute the attack. While the attack was sophisticated, Microsoft confirmed that customer data was not accessed or compromised.
This recent DDoS activity targeted layer 7 rather than layer 3 or 4. Microsoft hardened layer 7 protections including tuning Azure Web Application Firewall (WAF) to better protect customers from the impact of similar DDoS attacks.
Microsoft also shared the technical details surrounding the attack. As per the company, the threat actor Storm-1359 used a collection of botnets and tools to launch the attack on the company's servers. These included HTTP(S) flood attack to overload the system and exhaust the resources through a high load of SSL/TLS handshakes and HTTP(S) requests. In Microsoft's case, the attacker had sent millions of HTTP(S) requests from IP addresses around the globe to overload the system.
Not only that, but the attacker also used Cache bypass to skip the CDN layer and overload the original system with a series of queries. Lastly, the attacker had used Slowloris wherein the client requests a resource from the server but fails to acknowledge the receipt of the resource, forcing the server to keep the connection open and the resource in its memory.
Microsoft assessed that Storm-1359 has access to a collection of botnets and tools that could enable the threat actor to launch DDoS attacks from multiple cloud services and open proxy infrastructures. Storm-1359 appears to be focused on disruption and publicity.
Microsoft ended the post with a series of tips and recommendations for Azure customers to protect them against Layer 7 DDoS attacks in the future. The company, however, did not disclose details related to the damage or any financial impact it had to incur due to the attack.