• by Ray Schultz , Columnist, June 19, 2023

When Microsoft Outlook went down earlier this month, leaving users unable to access the email service, observers wondered whether it was caused by a Spectrum outage then taking place, or if it was a simple system failure on Microsoft’s part. 

It was neither. Microsoft reported on Friday that the outage was due to a cyber attack. 

“Beginning in early June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability,” Microsoft writes. “Microsoft promptly opened an investigation and subsequently began tracking ongoing DDoS activity by the threat actor that Microsoft tracks as Storm-1359.”

The company is quick to add: “We have seen no evidence that customer data has been accessed or compromised.” But it apparently was a serious episode.

To get technical, this recent The distributed denial-of-service (DDoS activity) “targeted layer 7 rather than layer 3 or 4,” Microsoft writes. “Microsoft hardened layer 7 protections including tuning Azure Web Application Firewall (WAF) to better protect customers from the impact of similar DDoS attacks.”

Microsoft determined that Storm-1359 “has access to a collection of botnets and tools that could enable the threat actor to launch DDoS attacks from multiple cloud services and open proxy infrastructures. Storm-1359 appears to be focused on disruption and publicity.”

These layer 7 DDoS attacks take several different forms:

• HTTP(S) flood attack — This attack aims to "exhaust the system resources with a high load of SSL/TLS handshakes and HTTP(S) requests processing," Microsoft says. 
• Cache bypass — This form of attack attempts to bypass the CDN layer and can lead to overloading the origin servers. 
• Slowloris—  Here, the client “opens a connection to a web server, requests a resource (e.g., an image), and then fails to acknowledge the download (or accepts it slowly)," Microsoft says. "This forces the web server to keep the connection open and the requested resource in memory.”

Micrtosoft halted the attack, but acknowledges that more work is needed. “While these tools and techniques are highly effective at mitigating the majority of disruptions, Microsoft consistently reviews the performance of its hardening capabilities and incorporates learnings into refining and improving their effectiveness,” it says.