Microsoft Confirmed June Outlook Outage Was Caused By DDoS Attacks



Earlier this month, a group known as Anonymous Sudan took credit for a service outage that disrupted access to Outlook, OneDrive and a handful of other Microsoft online services, Engadget reported.

After initially sharing little information about the incident, the company confirmed late Friday had been the target of a series of distributed denial-of-service attacks.

Microsoft posted information titled: “Microsoft Responds to Layer 7 Distributed Denial of Service (DDoS) Attacks”. From their post:

Beginning in early June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability. Microsoft promptly opened an investigation and subsequently began tracking ongoing DDoS activity by the threat actor that Microsoft tracks as Storm-1359.

These attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools.

We have seen no evidence that customer data has been accessed or compromised.

This recent DDoS attack targeted layer 7 rather than 3 or 4. Microsoft hardened layer 7 protection including tuning Azure Web Application Firewall (WAF) to better protect customers from the impact of similar DDoS attacks. While these tools and techniques are highly effective mitigating the majority of disruptions, Microsoft consistently reviews the performance of its hardening capabilities and incorporates learnings into refining and improving their effectiveness…

…Microsoft assessed that Storm-1359 has access to a collection of botnets and tools that could enable the threat actor to launch DDoS attacks from multiple cloud services and open proxy infrastructures. Storm-1359 appears to be focused on disruption and publicity.

Storm-1359 has been observed launching several types of layer 7 DDoS attack traffic:

HTTP(S) flood attack – This attack aims to exhaust the system resources with a high load of SSL/TLS handshakes and HTTP(S) requests processing. In this case, the attacker send a high load (in the millions) of HTTP(S) requests that are well distributed across the globe from different source IPs. This causes the application backend to run out of compute resources (CPU and memory).

Cache bypass – This attack attempts to bypass the CDN layer and can result in overloading the origin servers. In this case, the attacker sends a series of queries against generated URL’s that force the frontend layer to forward all the requests to the origin rather than serving from cached contents.

Slowloris – This attack is where the client opens a connection to a web server, requests a resource (e.g., an image), and then fails to acknowledge the download (or accepts it slowly). This forces the web server to keep the connection open and the requested resource in memory.

Bleeping Computer reported that while Microsoft tracks the threat actors as Storm-1359, they are more commonly known as Anonymous Sudan.

According to Bleeping Computer, Anonymous Sudan launched in January 2023, warning that they would conduct attacks against any country that opposes Sudan.

Since then, the group has targeted organizations and government agencies worldwide, taking them down in DDoS attacks or leaking stolen data…

…In June, Anonymous Sudan turned their attention to Microsoft, where they began DDoS attacks on web-accessible portals for Outlook, Azure, and OneDrive, demanding $1 million to stop the attacks.

In my opinion, people who engage in DDoS attacks against big companies because they are angry about something are misguided. Big companies like Microsoft tend to have the tools to put a stop to DDoS attacks.