A coordinated cyberattack targeting Microsoft 365 accounts worldwide has been detected, utilizing the FastHTTP Go library to launch high-speed brute-force password attacks. The campaign, which was discovered on January 13, 2025, is primarily aimed at the Azure Active Directory Graph API, according to incident response firm SpearTip.
The SpearTip Security Operations Center (SOC) reports that the attackers are using the FastHTTP framework, a high-performance HTTP server and client library in the Go programming language, to efficiently execute their brute-force attacks. FastHTTP is known for its ability to handle large volumes of HTTP requests with improved throughput and lower latency, making it an ideal tool for scaling attack efforts under high load.
Researchers from SpearTip have found that the brute-force attempts have resulted in account takeovers approximately 10% of the time. The attackers are using a combination of brute-force login attempts and attempts to bypass multi-factor authentication (MFA).
Analysis of the attack traffic showed that 65% of the malicious requests are originating from Brazil, with attackers using a wide array of Autonomous System Numbers (ASNs) and IP addresses to obscure their activities. Other countries contributing to the attack traffic include Turkey, Argentina, Uzbekistan, Pakistan, and Iraq, each accounting for roughly 2–3% of the total observed traffic.
The widespread distribution of attack traffic suggests that the threat actors are likely using a botnet or leveraging compromised systems in multiple regions to carry out the attacks.
