Microsoft said a DDoS attack was the initial cause of the disruption, but its own defences amplified the attack instead of mitigating it.
Microsoft is at the centre of another IT disruption this week, as thousands of customers worldwide were unable to connect to some of its services.
The disruption lasted for several hours yesterday (30 July) and primarily affected Microsoft Azure services, along with a “subset” of Microsoft 365 and Microsoft Purview, according to the company.
The outage comes just weeks after Microsoft systems around the world crashed, after Crowdstrike released a software update that caused a ‘blue screen of death’ for various systems. But it appears this latest problem was the result of malicious activity instead of a faulty update.
What caused the outage?
Microsoft said the disruption began when an “unexpected usage spike” resulted in Azure components performing below acceptable thresholds, which led to a series of errors, timeouts and latency spikes. The company attributed this initial activity to a distributed Denial-of-Service (DDoS) attack.
A DDoS attack is an attempt to make an online service unavailable by overwhelming it with high volumes of data from multiple sources. There are a few ways to do this, but a common method employed by attackers is to use multiple compromised computer systems to direct the attack traffic.
Multiple reports from last year suggest the scale, intensity and tactics behind DDoS attacks are growing rapidly. France suffered a wave of DDoS attacks earlier this year, with the presumed goal of disrupting multiple government websites.
It is unclear who was behind the DDoS attack, but this was only one half of the issue based on an initial investigation. Microsoft said that its DDoS protection mechanisms were activated but then “an error in the implementation of our defences amplified the impact of the attack rather than mitigating it”.
Microsoft has been connected to various high-profile cyberattacks in recent years and has been criticised for its security practices. A recent report claimed the massive breach of US government emails last year was preventable and that a “cascade” of avoidable errors on Microsoft’s part allowed the intrusion to succeed.
Response from experts
Multiple cybersecurity experts have weighed in on the disruption and Microsoft’s investigation. David Higgins, a senior director of CyberArk’s field technology office, said many organisations are reliant on Microsoft’s cloud services.
“By targeting an organisation as large and as heavily used as Microsoft with a DDoS attack, widespread disruption could have been the only expected outcome,” Higgins said. “However, Microsoft have admitted that a misconfiguration in their security settings actually amplified the impact of this attack, so perhaps the attackers themselves were also a little surprised at how wide this disruption went.
“This doesn’t necessarily show that there are serious security flaws in Microsoft’s software. It does highlight some key points though – it’s a strong reminder that implementing security isn’t enough and organisations should take proactive steps to constantly test their own defences.”
While the disruption did not last as long as the notorious Crowdstrike outage, Stephen Robinson, a senior threat intelligence analyst at WithSecure, noted that many online services rely on Microsoft.
“One of the affected Microsoft services, Entra, is used to allow people to log on to services and websites and without it, users are not able to log on,” Robinson said. “As such, while this outage only lasted for a short time and affected a subset of services, the impact was still noticeable to many people.”
Time for a new cloud strategy?
The latest outage – and the massive Crowdstrike outage – have prompted some IT experts to note the issues of relying on a small number of vendors. For example, estimates suggest Microsoft and Crowdstrike took roughly 55pc of the world’s security software sales last year.
Matthew Hodgson, the CEO and co-founder of encrypted messaging platform Element, said the latest Microsoft outage “underscores the critical vulnerabilities inherent in centralised cloud infrastructures”.
“This incident, following closely on the heels of the CrowdStrike-related disruption, highlights the risks associated with overreliance on single points of failure,” Hodgson said. “Decentralised architectures, by distributing data and operations across multiple independent nodes run by different vendors, offer a more resilient and secure alternative.
“Such systems can significantly mitigate the impact of large-scale outages and cyberattacks, safeguarding critical services and protecting businesses from substantial financial losses.”
Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.