Microsoft Azure Outage Caused by DDoS Attack

A distributed-denial-of-service (DDoS) attack was behind Tuesday’s Microsoft Azure cloud services outage.

That’s according to an alert from Microsoft. Impacted Microsoft Azure services included Azure App Services, Application Insights, Azure IoT Central, Azure Log Search Alerts, Azure Policy, as well as the Azure portal itself, and a subset of Microsoft 365 and Microsoft Purview services.

The DDoS attack and outage occurred less than two weeks after the global IT outage that impacted 8.5 billion Windows devices due to a CrowdStrike update.

In a DDoS attack, a threat actor floods a server with internet traffic to prevent users from accessing connected online services and sites.

“An unexpected usage spike resulted in Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components performing below acceptable thresholds, leading to intermittent errors, timeout and latency spikes,” Microsoft said. “While the initial trigger event was a DDoS attack, which activated our DDoS protection mechanisms, initial investigations suggest that an error in the implementation of our defenses amplified the impact of the attack rather than mitigating it.”

Status of Microsoft Azure DDoS Attack

The Microsoft Azure outage lasted about eight hours and failure rates returned to pre-incident levels by midafternoon Eastern time, according to Microsoft.

Related:Microsoft-CrowdStrike Outage: 32% of Partners Saw No Client Impact

“Our team will be completing an internal retrospective to understand the incident in more detail,” it said. “We will publish a preliminary post incident review (PIR) within approximately 72 hours, to share more details on what happened and how we responded.”

David Higgins, senior director of CyberArk’s field technology office, said this isn’t the first time a DDoS attack has hit Microsoft services.

CyberArk's David Higgins

“In June of last year, the company confirmed that a hacktivist group had caused an outage,” he said. “So, it could be a hacktivist group again, perhaps seeking to show how reliant organizations worldwide are on their IT services from Microsoft and in general. Following the recent global outage from the CrowdStrike update, service disruption is clearly on the world radar. But DDoS attacks have also been employed by cybercriminals and nation-state attackers. Their motives would be very different, but at this stage, there is not enough information available to state what type of actor this could have been.”

Targeting an organization as large and as heavily used as Microsoft with a DDoS attack, there could have been only one expected outcome, Higgins said.

“However, Microsoft has admitted that a misconfiguration in their security settings amplified the impact of this attack, so it’s possible the attackers themselves were also a little surprised at how wide this disruption went,” he said.