Microsoft: DDoS attacks caused M365, Azure disruptions

Microsoft confirmed that disruptions to some cloud services and applications were caused by massive DDoS attacks earlier this month.

In early June, Microsoft users reported outages in Microsoft 365, Azure and OneDrive services, which the software giant began investigating. In a blog post on Friday, Microsoft attributed layer 7 or application layer DDoS attacks to a threat actor it tracks as Storm-1359 and described the effort as a disruption and publicity campaign.

The investigation into the disruptions showed no evidence that customer data was accessed or compromised. However, Microsoft recommended customers apply certain mitigations, such as using Azure Web Application Firewall (WAF), to protect from future 7 layer DDoS attacks.

"This recent DDoS activity targeted layer 7 rather than layer 3 or 4. Microsoft hardened layer 7 protections including tuning Azure Web Application Firewall (WAF) to better protect customers from the impact of similar DDoS attacks," Microsoft wrote in the blog post. "While these tools and techniques are highly effective at mitigating the majority of disruptions, Microsoft consistently reviews the performance of its hardening capabilities and incorporates learnings into refining and improving their effectiveness."

The blog post revealed Storm-1359 used botnets and tools to launch three types of layer 7 DDoS attacks, including cache bypass attacks, which are designed to circumvent CDN protections; slowloris attacks, in which a threat actor uses a single system to open multiple connections to a web server and keep them open with partial HTTP requests; and HTTP(S) flood attacks, which use a high volume of requests from different devices across many regions and IP addresses.

The attacks affect memory and backend components to slow traffic and trigger outages. Based on the investigation, Microsoft assessed that the attacks relied on access to multiple virtual private servers combined with rented cloud infrastructure, open proxies and DDoS tools to commit the attacks, which caused prolonged disruptions for customers.

On June 5, multiple Microsoft twitter accounts, including Microsoft 365 Status and Microsoft Outlook, confirmed investigations into service disruptions had begun. A series of tweets over the next two days revealed mitigations quelled the disruptions but not for long. Although Microsoft 365 Status tweeted that the vendor broadened its mitigation strategy on June 6, customers continued to be affected for several days.

Microsoft recommended customers using Azure WAF to enable the bot protection managed ruleset; block IP addresses and address ranges that they identify as malicious; and designate web traffic outside defined geographic regions to either be block, rate-limited or redirected to a static web page.

Microsoft is the latest high-profile vendor to be affected by powerful layer 7 DDoS attacks. In August 2022, Google Cloud confirmed it blocked "the largest layer 7 DDoS attack at 46 million rps," which was aimed at an unnamed Google Cloud Armor customer. A blog post revealed Google observed an increase in frequency in DDoS attacks over the past few years.

Arielle Waldman is a Boston-based reporter covering enterprise security news.