A sophisticated cyber attack campaign targeting Microsoft 365 accounts worldwide has been uncovered by SpearTip security researchers. The attacks, which began on January 6, 2024, exploit the FastHTTP Go library to launch high-speed brute-force password attempts against Azure Active Directory Graph API.

Attack Methodology
The threat actors leverage FastHTTP, a high-performance HTTP library for Go, to automate unauthorized login attempts. The attacks target Azure Active Directory endpoints through two primary methods:
– Password brute-forcing
– MFA Fatigue attacks through repeated authentication challenges

Geographic Distribution and Success Rate
– 65% of malicious traffic originates from Brazil
– Additional attacks from Turkey, Argentina, Uzbekistan, Pakistan, and Iraq
– Attack outcomes:
* 41.5% Failed attempts
* 21% Account lockouts
* 17.7% Policy violations
* 10% MFA-protected
* 9.7% Successful account compromises

Detection and Mitigation
Administrators can detect attacks by:
1. Using SpearTip’s PowerShell script to check for FastHTTP user agent
2. Monitoring Azure portal sign-in logs for suspicious “Other Clients” activity

Recommended Security Measures:
– Immediate session termination and credential reset upon detection
– Review and removal of unauthorized MFA devices
– Implementation of robust access policies

The campaign’s 10% success rate poses a significant threat to organizational security, potentially leading to data breaches and service disruptions.