Threat actors are exploiting the FastHTTP Go library to execute high-speed brute-force password attacks on Microsoft 365 accounts worldwide. The campaign, discovered by incident response firm SpearTip, began on January 6, 2025, targeting the Azure Active Directory Graph API.
Alarming Success Rates in Account Takeovers
According to researchers, these brute-force attacks have achieved a 10% success rate in compromising accounts, highlighting the sophistication and effectiveness of the campaign.
Exploiting FastHTTP for Unauthorized Access
FastHTTP, a high-performance HTTP server and client library for the Go programming language, is designed for handling HTTP requests with exceptional throughput, low latency, and efficiency. In this campaign, it is weaponized to:
- Automate unauthorized login attempts via brute-force attacks.
- Send repeated multi-factor authentication (MFA) challenges, overwhelming targets in MFA Fatigue attacks.
Geographic Origin of Malicious Traffic
SpearTip’s analysis indicates that 65% of the malicious traffic originates from Brazil, using a wide range of ASN providers and IP addresses. Other notable sources include Turkey, Argentina, Uzbekistan, Pakistan, and Iraq.
Attack Outcomes
The outcomes of these attacks, as reported by researchers, are:
- 41.5%: Failed attempts.
- 21%: Account lockouts triggered by protection mechanisms.
- 17.7%: Rejected due to access policy violations (e.g., geographic or device compliance).
- 10%: Successfully blocked by MFA protections.
- 9.7%: Successful account takeovers—a concerningly high success rate.
Impact of Account Takeovers
Compromised Microsoft 365 accounts can result in severe repercussions, such as:
- Exposure of confidential data.
- Intellectual property theft.
- Service downtime.
- Broader security breaches.
Detection and Defense Measures
To mitigate the impact of these attacks, SpearTip recommends the following steps:
- Audit Logs for FastHTTP User Agent: Use a PowerShell script or manually inspect audit logs for evidence of the FastHTTP user agent.
- Navigate to the Azure portal.
- Go to Microsoft Entra ID → Users → Sign-in Logs.
- Apply the filter: Client app: “Other Clients.”
- Respond to Malicious Activity:
- Expire active user sessions.
- Reset all account credentials.
- Review and remove unauthorized MFA devices.
By implementing these measures, administrators can safeguard Microsoft 365 accounts against this ongoing threat campaign.
