Security researchers at SpearTip have uncovered a sophisticated large-scale brute force attack campaign targeting Microsoft 365 users, achieving an unprecedented 9.7% success rate in account compromises. The attack leverages the high-performance FastHTTP library written in Go to launch rapid-fire attacks against Azure Active Directory Graph API, representing a significant evolution in threat actors’ capabilities.
Technical Analysis of the Attack Vector
The attackers have implemented an advanced approach utilizing FastHTTP, a high-performance HTTP client library in Go, to execute simultaneous connection attempts with minimal latency. This sophisticated implementation enables threat actors to bypass traditional rate limiting and detection mechanisms while targeting Azure Active Directory endpoints and multi-factor authentication systems at scale.
Attack Distribution and Success Metrics
The investigation reveals that 65% of malicious traffic originates from Brazil, utilizing a distributed network of providers and IP addresses. Secondary attack vectors have been identified from Turkey, Argentina, Uzbekistan, Pakistan, and Iraq. The campaign’s effectiveness is particularly concerning, with detailed metrics showing:
- 41.5% – Failed login attempts
- 21% – Account lockouts by security systems
- 17.7% – Access policy violations
- 10% – MFA challenges
- 9.7% – Successful account compromises
Detection and Mitigation Strategies
Security administrators should implement immediate detection measures by monitoring authentication logs for FastHTTP user agent signatures. SpearTip has released a specialized PowerShell script to automate this detection process. Upon identifying potential compromise indicators, organizations should:
- Terminate all active user sessions immediately
- Force credential resets across affected accounts
- Conduct comprehensive MFA device audits
- Remove unauthorized devices from trusted device lists
The severity of this campaign necessitates immediate action from organizations utilizing Microsoft 365. Implementing robust security measures, including enforced complex password policies, mandatory multi-factor authentication, and continuous security monitoring, is crucial for maintaining defensive posture. Organizations should also consider implementing conditional access policies and regularly reviewing authentication patterns to detect and prevent unauthorized access attempts. The evolving nature of these attacks emphasizes the critical importance of maintaining a proactive security stance in protecting cloud-based infrastructure.
