An investigation by Microsoft suggests a threat actor named Storm-1359 launched distributed denial of service attacks earlier this month, impacting availability of the company's services.
Thousands of Microsoft 365 customers experienced issues connecting to services last week, including Teams an dOutlook Web Access.
We're investigating an issue with accessing Outlook on the web. Further details can be found under EX571516 in the admin center.
— Microsoft 365 Status (@MSFT365Status) June 5, 2023
In an incident post mortem published over the weekend, Australian time, Microsoft pointed to Storm-1359 as having launched DDoS attacks to create disruption for publiciity purposes.
The threat actor used multiple virtual private servers, rented cloud infrastructure, open proxies and "DDoS tools" Microsoft said.
Attacks were launched at the application network layer 7 rather than 3 or 4, which Microsoft protects with the Azure Web Application Firewall.
Microsoft saw no evidence of any customer data being accessed or compromised.
Storm-1359 has been observed to launch several types of layer 7 DDoS attacks, Microsoft's Security Response Centre said.
The threat actor has attempted to exhaust system resources by sending millions of clear-text and secured hyper text transfer protocol requests, to run up processor and memory usage.
Similarily, Storm-1359 has attempted to bypass caching servers and to use the "Slowloris" attack with incomplete network connections that remain open, in an effort to exhaust system resources.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
