Microsoft confirms DDoS attacks against M365, Azure Portal

The Microsoft 365 and Azure Portal outages users experienced this month were caused by Layer 7 DDoS attacks, Microsoft has confirmed on Friday.

Microsoft 365 Azure DDoS

The DDoS attacks against Microsoft 365 and Azure Portal

Throughout the first half June 2023 Microsoft confirmed, at various times, ongoing issues with its cloud-based services – Microsoft 365 (including Outlook on the web and OneDrive) and Azure Portal – but did not say at the time that they were caused by an increase in traffic.

But on Friday, Microsoft said that the attacks were caused by DDoS activity.

“This recent DDoS activity targeted layer 7 rather than layer 3 or 4,” the company said. (Layer 7 refers to the application layer in the OSI model.)

A group dubbed Storm-1359 by Microsoft was behind the attacks.

“These attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools,” Microsoft informed.

Fortunately, there is no evidence to suggest that customer data was accessed or compromised during these incidents, providing some reassurance to affected users.

The attackers’ TTPs

The company also disclosed details about the attackers’ tactics, techniques, and procedures (TTPs).

“Storm-1359 has access to a collection of botnets and tools that could enable the threat actor to launch DDoS attacks from multiple cloud services and open proxy infrastructures,” the company revealed, and noted that Storm-1359 “appears to be focused on disruption and publicity.”

The group has been known to use several attack techniques such as HTTP(S) flood, cache bypass and Slowloris.

All these tactics aim to overwhelm the targeted systems and disrupt their normal operations, making it difficult for users to access them.

OPIS

Subscribe to the Help Net Security breaking news e-mail alerts:

OPIS

Don't miss