Hackers use FastHTTP in new high-speed Microsoft 365 password attacks

Threat actors are utilizing the FastHTTP Go library to launch high-speed brute-force password attacks targeting Microsoft 365 accounts globally.

The campaign was recently discovered by incident response firm SpearTip, who said the attacks began on January 6, 2024, targeting the Azure Active Directory Graph API.

The researchers warn that the brute-force attacks have to successful account takeovers 10% of the time.

Abusing FastHTTP for takeovers

FastHTTP is a high-performance HTTP server and client library for the Go programming language, optimized for handling HTTP requests with improved throughput, low latency, and high efficiency even when used with numerous concurrent connections.

In this campaign, it is leveraged to create HTTP requests to automate attempts at unauthorized logins.

SpearTip says all requests target the Azure Active Directory endpoints to either brute-force passwords or repeatedly send multi-factor authentication (MFA) challenges to overwhelm targets in MFA Fatigue attacks.

SpearTip reports that 65% of the malicious traffic originates from Brazil, leveraging a broad range of ASN providers and IP addresses, followed by Turkey, Argentina, Uzbekistan, Pakistan, and Iraq.

The researchers say that 41.5% of the attacks fail, 21% lead to account lockouts imposed by protection mechanisms, 17.7% are rejected due to access policy violations (geographic or device compliance), and 10% were protected by MFA.

This leaves 9.7% of cases where the threat actors successfully authenticate to the target account, a notably high success rate.

Detect and defend

Microsoft 365 account takeovers can lead to confidential data exposure, intellectual property theft, service downtime, and other negative outcomes.

SpearTip has shared a PowerShell script administrators can use to check for the presence of the FastHTTP user agent in audit logs, indicating they were targeted by this operation.

Admins can also manually check for the user agent by logging in to the Azure portal, navigating to Microsoft Entra ID → Users → Sign-in Logs, and applying the filter Client app: “Other Clients.”

If any signs of malicious activity are uncovered, administrators are advised to expire user sessions and reset all account credentials immediately, review the enlisted MFA devices, and remove unauthorized additions.

A full list of the indicators of compromise associated with the campaign can be found in the bottom section of SpearTip’s report.