Advanced Microsoft 365-targeted brute-force attacks enabled by FastHTTP

BleepingComputer reports that Microsoft 365 accounts worldwide have been subjected to accelerated brute-force password intrusions involving the exploitation of the FastHTTP server and client library, nearly 10% of which were successful.

All HTTP requests created using FastHTTP have been leveraged for brute-force and multi-factor authentication fatigue attacks against Azure Active Directory endpoints, with Brazil accounting for most of the malicious traffic, followed by Turkey, Argentina, Uzbekistan, and Pakistan, according to an analysis from incident response firm SpearTip. While most attacks were unsuccessful — particularly due to authentication failures, locked accounts, and access policy violations — threat actors abusing FastHTTP were successful 9.7% of the time. Such an elevated risk of Microsoft 365 account hijacking through FastHTTP exploitation should prompt immediate assessment of potential compromise among admins. Aside from using a PowerShell script, admins could also manually verify the user agent through Microsoft Entra ID within the Azure portal, said SpearTip, which also recommended the immediate user session expiration and account credential resets upon the discovery of any malicious activity.