Global brute-force attacks target Microsoft 365 accounts using FastHTTP Go library

Global brute-force attacks target Microsoft 365 accounts using FastHTTP Go library

A coordinated cyberattack targeting Microsoft 365 accounts worldwide has been detected, utilizing the FastHTTP Go library to launch high-speed brute-force password attacks. The campaign, which was discovered on January 13, 2025, is primarily aimed at the Azure Active Directory Graph API, according to incident response firm SpearTip.

The SpearTip Security Operations Center (SOC) reports that the attackers are using the FastHTTP framework, a high-performance HTTP server and client library in the Go programming language, to efficiently execute their brute-force attacks. FastHTTP is known for its ability to handle large volumes of HTTP requests with improved throughput and lower latency, making it an ideal tool for scaling attack efforts under high load.

Researchers from SpearTip have found that the brute-force attempts have resulted in account takeovers approximately 10% of the time. The attackers are using a combination of brute-force login attempts and attempts to bypass multi-factor authentication (MFA).

Analysis of the attack traffic showed that 65% of the malicious requests are originating from Brazil, with attackers using a wide array of Autonomous System Numbers (ASNs) and IP addresses to obscure their activities. Other countries contributing to the attack traffic include Turkey, Argentina, Uzbekistan, Pakistan, and Iraq, each accounting for roughly 2–3% of the total observed traffic.

The widespread distribution of attack traffic suggests that the threat actors are likely using a botnet or leveraging compromised systems in multiple regions to carry out the attacks.


Back to the list

Latest Posts

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

The two men arrested in Spain are accused of overseeing the global distribution of Sky ECC devices and software.
12 February 2025
Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

The attackers utilized a BACKORDER loader to deploy DarkCrystal RAT.
12 February 2025
North Korean Kimsuky adopted a new tactic to infiltrate targets

North Korean Kimsuky adopted a new tactic to infiltrate targets

The new tactic involves the threat actor tricking individuals into executing PowerShell commands as administrators.
12 February 2025