With dead-time dump, Microsoft revealed DDoS as cause of recent cloud outages

In the murky world of political and corporate spin, announcing bad news on Friday afternoon – a time when few media outlets are watching, and audiences are at a low ebb – is called "taking out the trash." And that’s what Microsoft appears to have done last Friday.

A post that went live while almost no-one was looking reveals that early June outages of its 365 services and Azure Cloud portal were caused by a distributed denial of service (DDoS) attack.

At the time of the outages, the software behemoth wrote on Twitter that its boffins were "reviewing our networking systems and recent updates in an effort to identify the underlying root cause of the issue." Redmond later reported it had detected an "anomaly with increased request rates" that damaged Azure services.

Responsibility for the outages – which saw multiple Microsoft 365 services become unstable on June 6 – was claimed by a group called Anonymous Sudan.

The Associated Press reported that in response to its inquiries about the cause of the outage, Microsoft admitted that Anonymous Sudan and DDoS orchestrated by the group were the cause of the outages.

The post that the AP claims is Microsoft's admission of succumbing to Anonymous Sudan doesn't mention the source of the DDoS – but does state: "Beginning in early June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability. Microsoft promptly opened an investigation and subsequently began tracking ongoing DDoS activity by the threat actor that Microsoft tracks as Storm-1359."

"This recent DDoS activity targeted layer 7 rather than layer 3 or 4. Microsoft hardened layer 7 protections including tuning Azure Web Application Firewall (WAF) to better protect customers from the impact of similar DDoS attacks," the post states.

That "tuning" could be the "reviewing our networking systems and recent updates" referred to in the June 6 tweet.

• Microsoft keeps quiet amid talk of possible DDoS attack against Azure
• Microsoft’s Azure mishap betrays an industry blind to a big problem
• Microsoft breaks geolocation, locking users out of Azure and M365
• Microsoft admits Azure Resource Manager failed after code change

Microsoft hasn't linked "Storm-1359" to Anonymous Sudan, but says the gang "has access to a collection of botnets and tools that could enable the threat actor to launch DDoS attacks from multiple cloud services and open proxy infrastructures. It has suggested the group "appears to be focused on disruption and publicity."

Successfully attacking Microsoft 365 achieved both of those objectives handily.

By posting the blog entry about its recent outages on the Friday before a long weekend – and not linking Storm-1359 to an attacker – Microsoft appears to have tried to minimize the publicity around this attack.

Whoever did the DDoS deed, one fact is clear: Microsoft’s signature cloud services were disrupted and degraded by a determined attacker. That's a nasty outcome for a tech giant that claims stellar security prowess, and advocates for its customers to go cloud-first because it excels at the arts of cloudy resilience.

Microsoft users can at least take heart that the Windows giant has found "no evidence that customer data has been accessed or compromised."

This time. ®