Microsoft reported that while the initial trigger on a recent, nearly 10-hour Azure outage that led to intermittent errors, timeouts and latency spikes on many of its services was a distributed-denial-of-service (DDoS) attack, the company found that a configuration error in its DDoS defenses "amplified" the attack.
In a July 30 mitigation statement, Microsoft said the services impacted included Azure App Services, Application Insights, Azure IoT Central, Azure Log Search Alerts, Azure Policy, as well as the Azure portal itself and a “subset” of Microsoft 365 and Microsoft Purview services.
What’s not clear as of 1 p.m. Eastern on July 31 was the extent of the damage and which businesses were impacted. We still don’t know how many businesses were affected and what the real impact of this outage was.
Microsoft said once it understood the nature of the event, it implemented networking configuration changes to support its DDoS protection efforts and performed failovers to alternate networking paths to offer relief. The company’s initial network configuration changes successfully mitigated a majority of the impact by 14:10 UTC on July 30. Microsoft also tweeted that it applied mitigations and was “rerouting user requests to provide relief.”
“Microsoft's stumble here is a wake-up call for the whole industry,” said Adam Gavish, co-founder and CEO at DoControl. “When a tech giant can get knocked offline by a DDoS attack, it shows just how critical robust, well-tested defenses are. The irony is that their own protection mechanisms amplified the attack's impact. It's like having a fancy security system that accidentally locks you out of your own house. This highlights the complexity of modern cloud environments and the need for rigorous testing of security measures.”
David Higgins, senior director of the Field Technology Office at CyberArk, explained that when these Azure services stop responding, all login requests and applications stop working, creating widespread outages. Higgins pointed out that if any of the affected customers were running customer-facing applications during this attack, for example, it’s very likely that those applications went offline.
“This isn’t the first time a DDoS attack has hit Microsoft services,” said Higgins. “In June last year, the company confirmed that a hacktivist group had caused an outage. So, it could be a hackivist group again, perhaps seeking to show how reliant organizations worldwide are on their IT services from Microsoft and in general. Following the recent global outage from the CrowdStrike update, service disruption is clearly on the world radar.”
