Microsoft already knows what caused the general crashes of Outlook and OneDrive: a hack

Earlier this month, several Microsoft services experienced crashes. The login pages and other parts of Outlook, OneDrive, Teams, and Azure They are no longer available to millions of users around the world. Since we live in an increasingly interconnected world, this scenario resulted in a huge headache.

Imagine people without the possibility of accessing their email, work teams disconnected from one of their communication platforms, and system administrators with limited access to their company’s cloud resources. All this happened, to a greater or lesser extent, between June 5 and 9, 2023. Now we know why.

The culprit has been a DDoS attack

Microsoft assures that it invests 1,000 million dollars a year to protect, detect and respond to cyber threats in real time, work that is coordinated from the Microsoft Cyber ​​Defense Operations Center (CDOC). However, just like any other tech company, it is not immune to certain attacks that can compromise its systems.

It’s been Redmond’s own company the one that has recognized that the “early June” events were due to a distributed denial of service attack, also known by its acronym in English DDoS. “We have seen no evidence that customer data has been accessed or compromised,” they stated in a press release.

The investigation is still ongoing, and details about what happened are still scarce, but they can help us better gauge what kind of threats we are facing in the digital reality we live in. A Microsoft spokesperson has confirmed to the Associated Press that behind the attack is the group calling itself Anonymous Sudan.

Behind the scenes, the company has dubbed the attackers Storm-1359, a designation whose affiliation has yet to be established. Some researchers, however, believe Anonymous Sudan is linked to pro-Russian pro-Russian group KillNet. The latter, characterized by launching attacks against Ukraine’s allies.

It is believed that the attackers had at their disposal multiple virtual private servers and leased cloud infrastructure. Using these and other resources, they launched an enormous number of requests to Microsoft’s servers to produce an HTTP flood attack. That is, a direct attack on layer 7 of the OSI model, the basis of Internet requests.

The aforementioned type of attack seeks to exhaust the server’s resources in such a way that it collapses and cannot respond to more access requests. And, it should be noted, it is not easy to mitigate because it is not easy to distinguish between the authentic traffic and the one that is being caused by the attackers to destabilize the service.

Storm-1359 also launched other attacks against layer 7. On the one hand, a practice known as “Cache bypass”, which tries to bypass the CDN layer and can cause the origin servers to be overloaded. On the other hand, one of the “Slowloris” type, which opens connections with the server and tries to keep them open to consume its resources.

Images: Microsoft (1, 2, 3)

In Xataka: Any server is exposed to brute force attacks. Brute Fail is proving it in real time