Introduction:
In recent cyber incidents, attackers have been targeting Microsoft 365 accounts using a sophisticated and fast-paced method. On January 6, 2025, cybercriminals began exploiting a tool called “FastHTTP” to carry out large-scale automated password-guessing attacks. This method leverages the tool’s capability for high-speed login attempts, making it a serious threat to organizations relying on Microsoft 365 for email and collaboration. Let us break this down in simple terms.
The Attack:
- Attackers utilized a software library called “FastHTTP” to automate a huge number of login attempts against Microsoft 365 accounts. This software works at high speed, minimizing delays, and is ideal for launching these types of attacks.
- The attacks were traced to regions like Brazil, Turkey, and Argentina, where they originated.
- Credential Stuffing: Attackers use usernames and passwords that were leaked from previous data breaches to try logging into Microsoft 365 accounts.
- Password Spraying: Instead of using multiple passwords for one account (which could cause it to lock), attackers try a small set of common passwords across many accounts.
- These attacks target the Azure Active Directory API, a system responsible for managing logins to Microsoft 365.
- Even accounts with Multi-Factor Authentication (MFA)—a second layer of security where users approve logins via their phone or email—aren’t completely safe.
- Attackers exploit a technique called MFA fatigue, where they send repeated login requests, overwhelming users with approval notifications. A user might mistakenly approve one, giving attackers access.
- 10% Success Rate: About 1 in 10 attempts successfully takes over the targeted account.
- 21% Lockouts: Some attacks trigger account lockouts due to too many failed login attempts.
- 41.5% Failure Rate: The rest of the attempts fail outright.
- Once attackers gain access, they can:
- Steal sensitive data (data exfiltration).
- Use the account to send fake emails as part of business email compromise (BEC) schemes.
- Move deeper into the organization’s network to access more systems and data (lateral movement).
It’s critical for organizations to enhance their defenses, educate users on MFA fatigue, and adopt measures like conditional access policies to protect against such threats.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.
