Microsoft has confirmed that a recent global Microsoft 365 outage was caused by a targeted distributed denial-of-service (DDoS) cyber attack.
The outage, which lasted nearly 10 hours, saw users unable to access several crucial Microsoft services, including Microsoft 365 products such as Office, Outlook and Azure. It also impacted Xbox services, with servers on the video game Minecraft being unavailable for several hours.
Other websites were affected too, with UK banking giant NatWest apologising to customers whom it said had been unable to access some of its webpages, andOxford United Football Club posted to X to confirm the issue was preventing online members from accessing online ticketing and club shop services.
The incident started at approximately 11:45 am UTC and was resolved at 19:43pm, according to Microsoft’s Azure status history page.
The tech giant said the “initial trigger event” was a DDoS attack, which sees adversaries flood services with traffic to bring them to a standstill.
In an update posted to its Azure status website, it describes an “unexpected usage spike” which resulted in Azure Front Door and Azure Content Delivery Network components “performing below acceptable thresholds, leading to intermittent errors, timeout and latency spikes.”
The issue has since been resolved, Microsoft said. But it confirmed its initial investigations had found that an error in the rollout of its defences to prevent the attack had “amplified the impact of the attack rather than mitigating it.”
The outage was only solved when the firm made “network configuration changes ” to relieve and eventually help solve the issue.
Cyber Attack Caused by Misconfiguration
The cyber attack comes less than two weeks after a major IT outage knocked global infrastructure offline due to a flawed software update from cybersecurity firm CrowdStrike that affected Microsoft devices.
Like in that attack, it appears the attack was caused by the very software that was designed to defend against DDoS attacks. Most firms have protection in place to prevent DDoS from having an impact.
In Microsoft’s case, the initial DDoS attack had activated the firm’s DDoS protection mechanisms, but an error in the implementation of defences “amplified the impact of the attack rather than mitigating it,” Microsoft admits.
“It appears that the outage was caused by DDoS attack—despite the fact Microsoft had protections in place, says Sean Wright, head of application security at Featurespace.
“Similarly to the CrowdStrike issue a few weeks ago, it appears that an error occurred in the software that was used to protect against DDoS attacks,” Wright says.
Stephen Robinson, Senior Threat Intelligence Analyst at WithSecure, said: "Modern online services are built on stacked layers of dependencies, and in a significant proportion of service stacks you will find Microsoft services,”
Microsoft was the target of a Distributed Denial of Service (DDoS) attack, where attackers send requests from many different computers to a specific service to overload it and stop it from working for legitimate users.
One of the affected Microsoft services, Entra, is used to allow people to log on to services and websites, and without it, users are not able to log in.
“As such, while this outage only lasted for a short time and affected a subset of services, the impact was still noticeable to many people."
“Unsurprising”
The CrowdStrike incident had already created bad optics for Microsoft, so the timing of this DDoS outage is yet another to the tech giant.
Microsoft knows this and has communicated clearly throughout the outage, saying it will publish a Preliminary Post Incident Review within approximately 72 hours, to share more details on what happened and how it responded.
"It's not unsurprising to see that Microsoft has been subject to a denial-of-service attack, I imagine this is a frequent event for them,” said Adam Pilton, senior cybersecurity consultant at Cybersmart.”
“What is surprising is that it was successful. Microsoft has confirmed they do have DDoS protection in place which is what we would expect however the protection they did have in place was misconfigured which ended up amplifying the attack.
This has been fixed and Microsoft have said they will be publishing an incident review within 72 hours sharing greater detail on what has happened.
“The fact this misconfiguration happened and was in effect exploited is concerning and understanding how Microsoft allowed this to happen will be crucial in ensuring that businesses can maintain confidence in them,” Pilton added.