Microsoft reports a blog post late last week that it had been hit by a distribution-denial-of-service (DDoS) cyberattack earlier this month that lasted more than two hours and downed its Office 365 suite, including Teams and Outlook for tens of thousands of users.
The DDoS attack reoccurred the following morning, marking the company’s seventh service disruption in one form or another this year, the most recent of which impacted its Office 365 applications in late May.
Microsoft Launches Investigation
Starting in early June, Microsoft said it identified “surges in traffic against some services that temporarily impacted availability. It subsequently opened an investigation and began tracking the incident. Microsoft named the threat actor Storm-1359 after it identified the threat but not the perpetrators. Microsoft has since attributed the attack to a Russian-linked crew dubbed Anonymous Sudan.
The company said to date it had not seen any evidence that customer data has been hijacked or compromised. In its blog post, Microsoft said the DDoS event had “temporarily impacted availability” of some services, without providing more specific details. The attackers were focused on “disruption and publicity” and likely relied on “access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools.”
Microsoft determined that the DDoS “activity targeted layer 7 rather than layer 3 or 4.” Layer 7 is known as the application layer. Since the attack, the company has taken a number of steps to guard against future attacks, including hardening “layer 7 protections including tuning Azure Web Application Firewall (WAF) to better protect customers from the impact of similar DDoS attacks.”
Threat Group Accesses Botnets and Tools
Microsoft determined that the threat group has access to a “collection of botnets and tools” that could enable it to launch DDoS attacks from multiple cloud services and open proxy infrastructures.
Storm-1359 has been observed launching several types of layer 7 DDoS attack traffic:
- HTTP(S) flood attack: This attack aims to exhaust the system resources with a high load of SSL/TLS handshakes and HTTP(S) requests processing.
- Cache bypass: This attack attempts to bypass the CDN layer and can result in overloading the origin servers.
- Slowloris: This attack is where the client opens a connection to a web server, requests a resource (e.g., an image), and then fails to acknowledge the download (or accepts it slowly).
What Microsoft Recommends
Microsoft recommends customers review the following mitigations to reduce their impact to layer 7 DDoS attacks:
- Use layer 7 protection services such as Azure Web Application Firewall (WAF) (available with Azure Front Door, Azure Application Gateway) to protect web applications.
If using Azure WAF:
- Use the bot protection managed rule set provides protection against known bad bots.
- IP addresses and ranges that you identify as malicious should be blocked.
- Traffic from outside a defined geographic region, or within a defined region, should be blocked, rate limited or redirected to a static webpage.
- Create custom WAF rules to automatically block and rate limit HTTP or HTTPS attacks that have known signatures.