Microsoft confirms that June Outlook outages were the result of a DDoS attack
In early June, Outlook users began to complain en masse about the service's inaccessibility during peak usage. According to an article in The Associated Press, this was the result of a DDoS attack. Recently, Microsoft confirmed the attack in its blog post, where it also provided some details and recommendations for protection.
Here's What We Know
The blog post does not indicate whether the company managed to control the situation or whether the attack stopped on its own. However, the official Microsoft 365 Status account on Twitter reported the outage occurring on 5 June and then recurring later that day. It seems that the situation was finally resolved the next morning.
An AP article mentions that a spokesperson (apparently from Microsoft) confirmed that the attack was carried out by a group called Anonymous Sudan, which has been active since at least January. According to the article, the group claimed that their attack lasted for about an hour and a half before being stopped.
We continue to observe stable service health since we've applied our various preemptive mitigations and we will closely monitor the service should there be a recurrence.
- Microsoft 365 Status (@MSFT365Status) 7 June 2023
According to former National Security Agency hacker Jake Williams, quoted by AP: "there's no way to assess the impact unless Microsoft provides that information." He was unaware that Outlook had been so affected before.
In 2021, Microsoft managed to mitigate one of the largest DDoS attacks ever recorded. This attack lasted over 10 minutes and reached a maximum traffic volume of 2.4 terabits per second (Tbps). In 2022, the attack speed increased to 3.47 Tbps. It is not known how significant the traffic spikes were during the attack in June.
According to Microsoft, the DDoS targeted OSI layer seven, which is the network layer where applications access network services. This is where your applications, such as email, get their data. Microsoft believes that the attackers, whom they call Storm-1359, used botnets and tools to launch the attack from "multiple cloud services and open proxy infrastructures", with their main focus being disruption and publicity.
Source: The Verge