Yesterday we conducted research among users of the Sentinel add-on for Attic M365. We investigated the impact of a large-scale bruteforce attack targeting Microsoft 365, using FastHTTP.
It turns out that since January 7, more than half of the investigated organizations have been targeted by this attack. In none of the cases did the attackers manage to compromise an account, but the attack did lead to locked accounts and therefore potential disruption for the affected employees.
We will inform affected customers through an individual ticket in their name.
Background
We were triggered by an article on Bleeping Computer following research by Speartip: https://www.speartip.com/fasthttp-used-in-new-bruteforce-campaign/
What is FastHTTP?
This is open-source software with no malicious purpose on its own. It is designed to speed up HTTP traffic, but it turns out to be useful for attackers who want to send a high volume of requests to an API like Entra ID very quickly.
What is a bruteforce attack?
In a bruteforce attack, an attacker uses raw force to crack a password: by simply trying a long list of character and number combinations, the correct combination will eventually come up.
How does this work with Microsoft 365?
The Entra ID API is globally accessible and requires authentication. By directing a bruteforce attack at that API, an attacker can confirm that a guessed password is correct by successfully authenticating, and then take over the account.
Impact for you
Given that the attack reached more than half of all organizations, there is a good chance that you were targeted as well. And it cannot be ruled out that similar attacks will be carried out more frequently.
Account lockouts (21%)
When someone enters a wrong password multiple times, their account gets locked. The consequence of a bruteforce attack can already be quite disruptive for individual employees in that sense. Speartip reports that this was the result in 21% of bruteforce attempts.
Account takeover (10%)
And if the bruteforce does succeed — meaning the attacker actually obtains the correct password — it is possible that the account in question gets taken over. Speartip has observed this in roughly 10% of cases, though we cannot corroborate that figure from our own research.
MFA fatigue (10%)
When MFA is enabled, a successful authentication could trigger an MFA prompt to the user. The user may get tired or irritated by the speed and volume of attempts, potentially reaching the point of accepting the login request — at least that is what the attacker hopes. Microsoft has implemented various measures to prevent this, but at the very least it will be annoying for employees.
What to do?
If you want Attic's help against these kinds of attacks, you need the Sentinel add-on for our Microsoft 365 service. You can obtain it through the Azure Marketplace.
Within that service, you need to add Sign-in Logs as a data source. This incurs some additional storage costs at Microsoft, but those are minor and well worth it for investigating malicious login attempts after the fact.
If you want to investigate on your own, follow these steps:
1. Log in to entra.microsoft.com
2. Go to Users > Sign-in Logs
3. Apply the following filter. Client app: "Other Clients"
This may produce false positives, but the User Agent field under Basic Information can be used for confirmation: the user agent will contain "fasthttp".
Speartip has also created a PowerShell script to inspect audit logs for fasthttp. https://www.speartip.com/fasthttp-used-in-new-bruteforce-campaign/
