Cyber Incident Victim: Microsoft Azure
Date:
Jul 2024
Location:
United States of America
Summary
A global outage impacted multiple Microsoft services and third-party platforms relying on Azure infrastructure, caused by a Distributed Denial-of-Service (DDoS) attack targeting Azure Front Door. An error in defensive implementations amplified the attack's effects instead of containing it, leading to widespread connectivity failures, timeouts, and latency spikes across services including Azure App Services, the Azure portal, Microsoft 365 applications, Intune, Entra, and dependent systems like banking portals, utility websites, and court services. Mitigation involved network configuration adjustments and regional failovers, resolving core issues within several hours, though downstream services experienced prolonged recovery times based on their integration with affected components. The company acknowledged the incident stemmed from defensive failures and apologized for the disruption.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On 30 July 2024, between 11:45 UTC and 19:43 UTC, Microsoft Azure experienced a global service disruption affecting multiple cloud services and dependent applications. The incident originated from a Distributed Denial-of-Service (DDoS) attack targeting Azure infrastructure, which triggered automated defense mechanisms in Azure Front Door (AFD) and Azure Content Delivery Network (CDN). An implementation error in these defenses unexpectedly amplified the attack’s impact instead of containing it, causing performance degradation across critical components. Affected Azure services included App Services, Application Insights, IoT Central, Log Search Alerts, Azure Policy, and the Azure portal itself. Microsoft 365 services (including Outlook and Office), Microsoft Purview, Entra, and Intune also experienced connectivity issues. The networking bottleneck led to intermittent errors, timeouts, and latency spikes for a subset of customers worldwide. Initial detection occurred at 11:45 UTC when customer impact began, prompting Microsoft’s engineering teams to launch an investigation.
Microsoft’s response involved implementing network configuration changes to support DDoS mitigation and executing failovers to alternative networking paths. By 14:10 UTC, these initial measures resolved the majority of impact, though some customers continued reporting suboptimal availability. A revised mitigation approach was deployed regionally starting at 18:00 UTC, first in Asia Pacific and Europe, then expanded to the Americas after validation. Core failure rates normalized to pre-incident levels by 19:43 UTC, with full mitigation declared at 20:48 UTC after sustained monitoring. Downstream services dependent on AFD/CDN experienced prolonged recovery times based on their individual configurations. Third-party impacts included Cambridge Water’s account and payment systems, HM Courts and Tribunals Service’s online platforms, NatWest banking webpages, and FC Twente’s ticketing system and mobile app. Microsoft publicly acknowledged the outage via service status updates and social media, apologizing for the disruption while attributing the event to a cyber-attack and defensive failure. The company committed to publishing preliminary incident analysis within 72 hours and a final Post Incident Review within 14 days.