Microsoft Confirms DDoS Attacks: 5 Things To Know

After a series of outages to cloud services including Microsoft 365 and the Azure portal earlier this month, the company acknowledged that it had been hit with distributed denial-of-service attacks meant to knock websites offline.

DDoS Cripples Microsoft Services

While Microsoft is no stranger to outages, the series of service issues the company recently experienced earlier in June was striking. On back-to-back days in early June, Microsoft 365 services such as Teams and Outlook saw widespread outages, followed by a major OneDrive outage days later. Then the following day, the portal for Microsoft’s Azure cloud platform went down for thousands of users.

[Related: Microsoft Grapples With ‘Recurrence’ Of Microsoft 365 Service Issues]

While Microsoft initially didn’t specify a specific cause for the nearly weeklong string of outages, the company has now confirmed that DDoS (distributed denial-of-service) attacks were responsible. Media outlets including BleepingComputer had previously reported that a hactivist group claimed responsibility for the Microsoft service outages.

In its disclosure, Microsoft said it has identified a group responsible for the attacks and provided details on some of the group’s tactics. The company did not, however, provide specifics about the full impacts of the outages to some of its most popular cloud services. CRN has reached out to Microsoft for further comment.

What follows are five key things to know about the recent wave of DDoS attacks against Microsoft cloud services.

‘Surges In Traffic’

DDoS attacks, which attempt to knock websites offline by overwhelming them with traffic, are not considered a particularly sophisticated type of cyberattack. But they can still cause disruptions, as demonstrated in the recent wave of attacks against Microsoft services.

The closest that Microsoft had previously come to acknowledging that DDoS attacks were behind the service outages was to say that a “spike in network traffic” took down its Azure portal June 9. Microsoft had also hinted at DDoS in its reference to implementing load balancing to address the issues.

In a post late Friday, the company—via its Microsoft Security Response Center—acknowledged that DDoS attacks had impacted its services earlier this month. “Beginning in early June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability,” the company wrote in the post.

Few Specifics

Microsoft did not offer many specifics on the impacts of the attack, however. Instead, the company chose to focus on offering technical details about the types of DDoS attacks utilized by the threat actor and recommendations for protecting against these attacks. While such details are useful, the post does not specify how many customers were affected, leaving the full impact of the attacks unclear.

What Microsoft did say is that a group it tracks as “Storm-1359” was behind the attacks. Several reports indicated the threat actor is the same as a hactivist group calling itself Anonymous Sudan, which had claimed responsibility for taking down Microsoft services earlier this month.

Azure Portal Outage

The June 9 outage to the portal for Azure, Microsoft’s widely used cloud platform, was especially concerning. The company has offered a few more details about its incident review of that outage in a separate post, saying that “our internal telemetry reported an anomaly with increased request rates, and the Azure portal displaying a ‘service unavailable’ message in multiple geographies.”

“Traffic analysis showed an anomalous spike in HTTP requests being issued against Azure portal origins, bypassing existing automatic preventive recovery measures and triggering the service unavailable response,” the company said. “We will share more details when our investigation is complete.”

Downdetector, a website that tracks outages, had logged thousands of user reports of Azure issues over several hours June 9.

Microsoft 365, OneDrive Outages

The outages to popular Microsoft 365 services such as Outlook, Teams and SharePoint Online first struck Microsoft and its users June 5. Then the following day, the company said it was experiencing a “recurrence” of service issues for its Microsoft 365 cloud-based productivity and collaboration apps. Thousands of users reported to Downdetector that they were having issues with Microsoft 365 services during the two-day outage.

Days later, on June 8, Microsoft was struck with a OneDrive outage that left some users unable to access the cloud file storage service. A OneDrive sign-in page viewed by CRN, for instance, at one point displayed the message, “Sorry, an error has occurred.”

In response to the attacks, Microsoft said in its post that it has “hardened layer 7 protections including tuning Azure Web Application Firewall (WAF) to better protect customers from the impact of similar DDoS attacks.”

Hacker Group Tactics

Microsoft said that the hacker group it calls Storm-1359 “appears to be focused on disruption and publicity.” The group “has access to a collection of botnets and tools that could enable the threat actor to launch DDoS attacks from multiple cloud services and open proxy infrastructures,” Microsoft said in its post Friday.

The attacks “likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools,” the company said.

The group is known to utilize “several types of layer 7 DDoS attack traffic,” Microsoft said. Those include an HTTP(S) flood attack, which “aims to exhaust the system resources with a high load of SSL/TLS handshakes and HTTP(S) requests processing,” as well as attacks that attempt to bypass content delivery network (CDN) infrastructure to overload servers and an attack that attempt to trick a web server into keeping a connection open.