Discover the impact of 7-Layer DDoS attacks on Microsoft's crippled services, including Azure, Outlook, and OneDrive.

Continue reading
In a recent statement, Microsoft has confirmed that the recent outages experienced by Azure, Outlook, and OneDrive web portals were the result of Layer 7 DDoS attacks launched against their services. These attacks have been attributed to a threat actor known as Storm-1359, which identifies itself as Anonymous Sudan. The outages occurred in early June, with Outlook.com's web portal being targeted on June 7th, OneDrive on June 8th, and the Microsoft Azure Portal on June 9th.
Microsoft initially did not disclose that the outages were caused by DDoS attacks but hinted at it, mentioning that they were applying load-balancing processes to mitigate the issues. In a preliminary root cause report, Microsoft acknowledged a spike in network traffic that led to the Azure outage. Further investigation revealed that these outages were indeed caused by Layer 7 DDoS attacks carried out by the threat actor Storm-1359.
These Layer 7 DDoS attacks specifically target the application level by overwhelming the services with an enormous volume of requests, rendering them unable to process them all. Storm-1359 employs three types of Layer 7 DDoS attacks: HTTP(S) flood attacks, Cache bypass, and Slowloris. Each method aims to overload the web service by utilizing all available connections, thereby preventing the acceptance of new requests.
Storm-1359, the threat actor behind the DDoS attacks on Microsoft's services, identifies as Anonymous Sudan. Anonymous Sudan emerged in January 2023, announcing their intention to conduct attacks against any country opposing Sudan. Since then, the group has targeted organizations and government agencies worldwide, launching DDoS attacks and leaking stolen data.
In May, the group started targeting large organizations, demanding ransom payments to cease the attacks. Scandinavian Airlines (SAS) was among their first targets, with the threat actors demanding $3,500 to halt the DDoS attacks. Later, the group turned their attention to American companies such as Tinder, Lyft, and several hospitals throughout the USA.

*Anonymous Sudan claims Microsoft 7-Layer DDoS Attacks*
In June, Anonymous Sudan directed their attacks towards Microsoft, launching DDoS attacks on web-accessible portals for Outlook, Azure, and OneDrive. The group demanded a payment of $1 million to cease the attacks, justifying their actions as a response to the USA's involvement in Sudanese politics.
Microsoft has analyzed the DDoS attacks by Storm-1359 and identified their methods. The threat actor employs three types of Layer 7 DDoS attacks: HTTP(S) flood attacks, Cache bypass, and Slowloris. Each of these methods aims to overwhelm web services by consuming all available connections, rendering them unable to accept new requests.
In HTTP(S) flood attacks, the attacker floods the system resources by generating a high load of SSL/TLS handshakes and HTTP(S) requests. This flood of requests, distributed across various source IPs globally, exhausts the application's backends compute resources, including CPU and memory.
Cache bypass attacks attempt to bypass the content delivery network (CDN) layer and overload the origin servers. The attacker sends queries against generated URLs that force the frontend layer to forward all requests to the origin rather than serving from cached contents.
Slowloris attacks involve the client opening a connection to a web server, requesting a resource but failing to acknowledge or accept the download slowly. This forces the web server to keep the connection open and the requested resource in memory, effectively tying up server resources and preventing new connections from being established.
Storm-1359's combination of these Layer 7 DDoS attack techniques has effectively disrupted Microsoft's services. These attacks are challenging to mitigate since they mimic legitimate traffic and exploit the vulnerabilities in the application layer rather than overwhelming the network infrastructure.
In response to the DDoS attacks, Microsoft swiftly activated its incident response and security teams to mitigate the impact and restore services. The company employed various strategies to counter the attacks, including deploying additional infrastructure, enhancing network capacity, and implementing advanced traffic filtering and rate-limiting measures.
Microsoft collaborated with its partners and internet service providers (ISPs) to identify and block traffic from the malicious source IPs associated with the DDoS attacks. They also implemented proactive monitoring and alert systems to detect and respond to any future attacks promptly.
To further enhance the security of their services, Microsoft plans to invest in strengthening their DDoS protection capabilities. This includes leveraging machine learning and AI-driven technologies to identify and mitigate emerging threats more effectively.
To mitigate the impact of the Layer 7 DDoS attacks and enhance the resilience of their services, Microsoft has taken several mitigation measures:
In response to the attacks, Microsoft advises its customers to take the following actions to fortify their environments and mitigate similar attacks:
In addition to taking immediate action to mitigate the attacks, Microsoft has been collaborating with law enforcement agencies to investigate the DDoS attacks and identify the perpetrators behind Storm-1359. By working closely with authorities, Microsoft aims to hold the threat actors accountable for their actions.

U.S. Army recruiting pages hijacked to display fake 404 errors reading ‘Kurdistan’, exploiting a third-party tool and exposing .mil web security gaps.