FastHTTP Botnet: Large-Scale Microsoft 365 Password Spraying Campaign

Incident Report for Rapid Response Status Page

Resolved

Dear Customers,

Following our recent update regarding the FastHTTP Botnet: Large-Scale Microsoft 365 Password Spraying Campaign we have conducted a threat hunting across all customers, Relevant hits that require your attention will be mentioned in the AXON report.

The following queries can be used by your security teams to gain relevant visibility and also to conduct threat-based threat-hunting:

1. Hunting Query - Suspicious login attempts made using FastHTTP user agent (Azure Sign-in Logs) - This query can be found on AXON's GitHub.
- Link: https://github.com/axon-git/rapid-response/blob/main/fasthttp_bruteforce_campaign/fasthttp_bruteforce_passwordspray_campaigns_azure_signin.sql

2. Hunting Query - Suspicious login attempts made using FastHTTP user agent (M365 audit logs) - This query can be found on AXON's GitHub.
- Link: https://github.com/axon-git/rapid-response/blob/main/fasthttp_bruteforce_campaign/fasthttp_bruteforce_passwordspray_campaigns_m365.sql

3. Custom Detector Recommendation - Configuration suggestions by our team to create a detector for this campaign can be found in the AXON report.

In addition, full AXON reports were published for team AXON customers.
In those reports, you can also find the comprehensive updated deliverables list (threat hunting queries, IOCs, relevant hits if exist, and custom detector recommendation).

The team is still tracking the campaign and will publish an update in case needed.
If you have any questions, please do not hesitate to reach out to us.

Sincerely,
Team AXON.

Posted Mar 03, 2025 - 16:08 UTC

Investigating

Dear Customers,

Team AXON is aware of an ongoing password spraying campaign leveraging the FastHTTP library to target Entra ID and Microsoft 365. In this campaign, the threat actor operates a botnet of over 130,000 compromised devices, exploiting non-interactive sign-ins via basic authentication.

FastHTTP is a high-performance HTTP server and client library for the Go programming language, designed to handle HTTP requests more efficiently than Go’s standard net/http package.

The campaign poses significant risks to systems that rely on default or weak authentication methods, highlighting the importance of robust password policies and MFA. Our team has initiated a targeted investigation to identify potential IOCs related to this campaign. If any critical findings are discovered that require immediate attention, we will promptly inform you.

An AXON report detailing our findings, mitigation strategies, and recommended actions will be shared with all AXON customers following the conclusion of our Rapid Response efforts.

If you have any questions or concerns, please do not hesitate to contact us.

Sincerely,
Team AXON

Posted Mar 03, 2025 - 06:59 UTC

This incident affected: Rapid Response.