High-Speed Brute-Force Attacks on Microsoft 365 Accounts Using FastHTTP Library

2025-01-14

:
In a rapidly evolving digital landscape, cybersecurity threats are becoming more sophisticated and relentless. A recent discovery by incident response firm SpearTip has unveiled a new wave of high-speed brute-force password attacks targeting Microsoft 365 accounts globally. These attacks, which began on January 6, 2024, exploit the FastHTTP Go library to automate unauthorized login attempts, posing a significant threat to organizations worldwide. This article delves into the mechanics of these attacks, their impact, and the measures organizations can take to defend against them.

:
1. Threat actors are using the FastHTTP Go library to launch high-speed brute-force attacks on Microsoft 365 accounts.
2. The attacks target the Azure Active Directory Graph API, with a 10% success rate in account takeovers.
3. FastHTTP is a high-performance HTTP server and client library optimized for handling numerous concurrent connections.
4. The campaign involves creating HTTP requests to automate unauthorized login attempts and overwhelm targets with MFA Fatigue attacks.
5. 65% of the malicious traffic originates from Brazil, followed by Turkey, Argentina, Uzbekistan, Pakistan, and Iraq.
6. 41.5% of the attacks fail, 21% lead to account lockouts, 17.7% are rejected due to policy violations, and 10% are protected by MFA.
7. 9.7% of cases result in successful authentication by threat actors.
8. Microsoft 365 account takeovers can lead to data exposure, intellectual property theft, and service downtime.
9. SpearTip provides a PowerShell script to detect the FastHTTP user agent in audit logs.
10. Admins can manually check for the user agent in the Azure portal and apply filters to identify malicious activity.
11. Immediate actions include expiring user sessions, resetting credentials, and reviewing MFA devices.
12. Indicators of compromise are listed in SpearTip’s report.

What Undercode Say:

The utilization of the FastHTTP Go library in these brute-force attacks represents a significant escalation in the tactics employed by cybercriminals. The library’s ability to handle numerous concurrent connections with high efficiency makes it an ideal tool for launching rapid and relentless attacks. This campaign underscores the importance of robust cybersecurity measures, particularly for organizations relying on Microsoft 365 for their operations.

Analysis:

1. Speed and Efficiency: The FastHTTP

2. Geographic Distribution: The concentration of malicious traffic from Brazil and other countries suggests a coordinated effort by threat actors in these regions. The use of a broad range of ASN providers and IP addresses complicates detection and mitigation efforts.

3. Success Rate: A 9.7% success rate is alarmingly high for brute-force attacks. This indicates that many organizations may still be using weak or reused passwords, despite the availability of stronger authentication methods.

4. MFA Fatigue Attacks: The repeated sending of MFA challenges to overwhelm targets is a concerning trend. This tactic exploits human psychology, as users may eventually approve a request to stop the incessant notifications, inadvertently granting access to attackers.

5. Detection and Response: SpearTip’s PowerShell script and manual detection methods provide valuable tools for identifying and responding to these attacks. However, organizations must also focus on proactive measures, such as enforcing strong password policies and educating users about the risks of MFA Fatigue.

6. Immediate Actions: The recommended actions, such as expiring user sessions and resetting credentials, are crucial for mitigating the impact of successful attacks. Regularly reviewing MFA devices and removing unauthorized additions can further enhance security.

7. Indicators of Compromise: The inclusion of a full list of indicators of compromise in SpearTip’s report is a valuable resource for organizations. By monitoring for these indicators, organizations can detect and respond to attacks more effectively.

Conclusion:

The use of the FastHTTP Go library in brute-force attacks on Microsoft 365 accounts highlights the evolving nature of cyber threats. Organizations must remain vigilant and adopt a multi-layered approach to cybersecurity, combining strong authentication methods, user education, and proactive detection and response strategies. By staying informed and prepared, organizations can better defend against these sophisticated attacks and protect their sensitive data and intellectual property.