The Microsoft 365 and Azure Portal outages users experienced this month were caused by Layer 7 DDoS attacks, Microsoft has confirmed on Friday.
The DDoS attacks against Microsoft 365 and Azure Portal
Throughout the first half June 2023 Microsoft confirmed, at various times, ongoing issues with its cloud-based services – Microsoft 365 (including Outlook on the web and OneDrive) and Azure Portal – but did not say at the time that they were caused by an increase in traffic.
We’ve completed an extended monitoring period without observing any further interruptions to our Microsoft 365 services related to this event. We’ll continue working to finalize all outstanding mitigation efforts. Further details can be found in the admin center under MO572252.
— Microsoft 365 Status (@MSFT365Status) June 8, 2023
But on Friday, Microsoft said that the attacks were caused by DDoS activity.
“This recent DDoS activity targeted layer 7 rather than layer 3 or 4,” the company said. (Layer 7 refers to the application layer in the OSI model.)
A group dubbed Storm-1359 by Microsoft was behind the attacks.
“These attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools,” Microsoft informed.
Fortunately, there is no evidence to suggest that customer data was accessed or compromised during these incidents, providing some reassurance to affected users.
The attackers’ TTPs
The company also disclosed details about the attackers’ tactics, techniques, and procedures (TTPs).
“Storm-1359 has access to a collection of botnets and tools that could enable the threat actor to launch DDoS attacks from multiple cloud services and open proxy infrastructures,” the company revealed, and noted that Storm-1359 “appears to be focused on disruption and publicity.”
The group has been known to use several attack techniques such as HTTP(S) flood, cache bypass and Slowloris.
All these tactics aim to overwhelm the targeted systems and disrupt their normal operations, making it difficult for users to access them.