Microsoft Accounts Compromised

Microsoft

January 16, 2025

Analysts discovered threat actors leveraging the Fasthttp Go library to gain unauthorized access to Microsoft 365 accounts through high-speed brute-force login attempts and MFA fatigue as recently as January 6. Fasthttp is a high-performance HTTP server and client library designed for more efficient HTTP request handling, resulting in lower latency under high load. These attacks specifically target the Azure Active Directory Graph API, achieving a success rate of approximately 10 percent for account takeovers. Retirement of new and existing Azure AD Graph API service applications began in September 2024 and will be fully retired as of July.

Analysis indicates that 65 percent of malicious traffic geolocated to Brazil, leveraging a diverse range of ASN providers and IP addresses. Other source countries include Turkey, Argentina, Uzbekistan, Pakistan, and Iraq, each contributing approximately two to three percent of the observed traffic. While 41.5 percent of these attacks failed, 21 percent led to account lockouts, policy settings stopped 17.7 percent, and MFA prevented 10 percent of attempts, 9.7 percent of attempts were successfully authenticated and required immediate action.

In light of these developments, SpearTip developed a PowerShell script designed to help administrators identify such attacks by monitoring for the Fasthttp user agent in audit logs. Additionally, the SpearTip bulletin provides a detailed list of ASN providers, recommendations, and indicators of compromise.

Recommendation

  • If investigations reveal successful authentication:
    • Follow your established incident response procedures.
    • Expire user sessions and reset affected user credentials immediately.
    • Remove and re-add MFA devices as needed to ensure unauthorized additions are removed.
    • Monitor for unauthorized changes in user settings or permissions.
  • Report cyber incidents to the FBI’s IC3 and the NJCCIC.