Microsoft confirms DDoS attack disrupted cloud services

Microsoft was hit by a DDoS attack on Tuesday that disrupted an array of cloud services for Azure and Microsoft 365.

In an Azure status history update on Tuesday, Microsoft confirmed that outages some customers experienced were the result of a DDoS attack that flooded Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components. Microsoft said an investigation is ongoing, and customers should expect a preliminary post-incident review within 72 hours.

The list of affected services included Azure App services, application insights, Azure IoT Central, Azure Log Search Alerts, Azure Policy, the Azure portal and a subset of Microsoft 365 services. Tuesday's attack occurred one year after Microsoft was hit by a Layer 7 layer attack that also caused Azure outages.

"While the initial trigger event was a Distributed Denial-of-Service (DDoS) attack, which activated our DDoS protection mechanisms, initial investigations suggest that an error in the implementation of our defenses amplified the impact of the attack rather than mitigating it," Microsoft wrote in the Azure status history update.

Though it's unclear how many users suffered disruptions, the DDoS attack affected customers globally. Microsoft said it responded by implementing networking configuration changes that mitigated a "majority of the impact." However, the tech giant had to update its mitigation strategy for continued outages.

"Some downstream services took longer to recover, depending on how they were configured to use AFD and/or CDN," the update read.

Microsoft confirmed it fully mitigated the issues Tuesday night. The company plans to publish a final post incident review within 14 days.

Last year, vendors and infosec experts warned of a rise in massive, highly disruptive DDoS attacks that required new mitigation strategies. Another part of the danger is that both cybercriminals and nation state actors can conduct damaging DDoS attacks.

Microsoft did not respond to requests for comment at press time.

Steve Winterfeld, advisory CISO at Akamai, told TechTarget Editorial that DDoS attacks grow in scale and speed every year due to attackers' easy access to a range of botnets and tools as a service. He referred to Akamai's latest "State of the Internet" report, published Tuesday, which examined application and API attacks during the past 18 months. The report showed that high-tech companies were among the top three targeted verticals by Layer 7 DDoS attacks.

"Additionally, as motivations shift from criminal to political, larger companies -- like major banks -- with strong brand recognition are most likely to be targeted, as attackers aim to create the appearance of widespread disruption and impact trust in these industries," Winterfeld said. "However, they are also the most likely enterprises to have strong mitigations in place, so they often suffer lower impacts from even record-setting attacks. It is crucial for organizations of all sizes to validate that their systems -- web-facing, infrastructure or DNS -- are protected from the latest attack techniques and volume."

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.