Microsoft has confirmed that disruption of its 365 services and Azure Cloud portal earlier this month were caused by a Layer 7 DDoS attack against the tech giant.

The company attributed the attacks to a threat actor it tracks as Storm-1359 aka Anonymous Sudan, a new pro-Kremlin hacktivist group.

The attackers are said to have launched several types of layer 7 DDoS attacks:

HTTP(S) flood attack – aims to exhaust the system resources with a high load of SSL/TLS handshakes and HTTP(S) requests processing. In this case, the attacker sends a high load (in the millions) of HTTP(S) requests that are well distributed across the globe from different source IPs. This causes the application backend to run out of compute resources (CPU and memory).

Cache bypass – attempts to bypass the CDN layer and can result in overloading the origin servers. In this case, the attacker sends a series of queries against generated URLs that force the frontend layer to forward all the requests to the origin rather than serving from cached contents.

Slowloris – this attack is where the client opens a connection to a web server, requests a resource (e.g., an image), and then fails to acknowledge the download (or accepts it slowly). This forces the web server to keep the connection open and the requested resource in memory.

According to Microsoft’s blog post, the group likely used multiple virtual private servers (VPS) together with rented cloud infrastructure, open proxies, and DDoS tools. Redmond says it has no evidence that customer data was accessed or compromised.