General Musings

Microsoft 365 frustrations these last few weeks?

Daniel Bender

4 min read
Microsoft 365 frustrations these last few weeks?

Have you been increasingly frustrated with 365's degraded performance, outages, and skyrocketing Graph API Health Service Incident notifications?  You are not imagining it.  There is a reason for this, threat actors have been carrying out Level 7 DDOS attacks on the corporate giants infrastructure.  

The group responsible for it according to threat researchers and now finally Microsoft admitting it, is a group called "Anonymous Sudan" otherwise known as Storm-1359.  These DDOS attacks a usually very basic in nature, and all one needs is access to a botnet, or other resources in the cloud.   These resources can be coordinated to blast a ton of HTTP requests against the targets of their choice. This is nothing new, and is the most common type of attack to disrupt or bring down websites and services on the internet.

Anonymous Sudan is certainly reveling in the attention, it does not take a lot of skill to perform these attacks in most cases.  That being said, these layer 7 attacks are considered by some to be a bit more complex.  You can look at their Telegram channel, where they are getting their rocks off selectively targeting different business and government institutions.  See for yourself.  https://t.me/s/AnonymousSudan

Now, there is a few concerning points to make specifically about the Microsoft attack.  

  1. We knew from the beginning it wasn't just another botched update on their backend, which commonly happens, which they then have to roll back.  Even my own research correlating Microsoft's own Graph API health status response times coincided with Sudan's boastful posts online.
  2. Microsoft immediately tried to shift the blame and make excuses in the beginning, essentially covering up the real reason, then finally came out and admitted at first it was due to "Anomalous spike in HTTP traffic". Then to finally specifically mentioning the group and the type of attacks recently.  
  3. Microsoft has responded in their blog posts and multiple posts online, of how users should "remediate and protect their resources inside the 365/Azure ecosystem".  While not even pointing out the fact their own infrastructure was effected by this, almost as to shift blame, conflate any culpability and deflect any embarrassment.  They finally and specifically stated it was a Level 7 DDOS, which is the application layer of the OSI model.  Pssst... Microsoft.... the application layer?  Who's application is it? Again, they try to shift the liability onto the user by stating things they can do to help protect against this.  You cannot protect things when their own admin portals and infrastructure is inaccessible or non responsive.
  4. Lastly, the disturbing trend is, these outages and service interruptions are increasing in frequency.  Not just due to these types of attacks, but many other reasons, most times Microsoft inflicted on themselves.  So how is it, the worlds most popular email and server VM hosting platform, which boasts its incredible resiliency against DDOS Attacks, even has this problem to begin with?  I think MS needs to give Cloudflare a call, they might know a thing or two about DDOS protection.

We are talking about an enormous company, with enormous resources, with you would think,  a collectively massive amount of skill and talent,.  So how can their network even be fazed by this?  It's bad enough Microsoft is constantly changing its code, its features, the location of said features in the admin portals.  How many "Got it" popups, and "This feature is now located here" popups are you driven mad with every time you log in?  This goes for not just end users, but for the IT admins and MSP's constantly administering this platform on behalf of their users.  It has become a recurring joke around the office lately.

To me this concerns me the most, as its no secret they have the biggest market share by far when it comes to enterprise email hosting services among other things.  The entire MSP Community for the last few years have been constantly busy migrating users off onprem exchange to 365 exchange. Its the future they say, Microsoft obviously wants this, and the entire industry has been heading this way for some time.  

We have given full control and TRUST of such a vital part of every business and institutions on earth, to big tech.  No matter what the sales and marketing says, these are real problems that not only are not going away, but accelerating.  There is nothing users can do, the help desks or MSP's  to improve or fix it.  We just have to say to the customer or user , welp just another Microsoft outage, sorry, you will just have to wait it out.  Now that's fine when its a rare occurrence, things happen. But when its becoming more and more common, it just makes everybody frustrated, and breaks and erodes any remaining trust we have with big tech to handle that part of our IT infrastructure.  

If you ask me, if people are going to trust a company like Microsoft to take care of their core messaging and communications infrastructure.  The least they can do is be transparent, and not blow smoke up our asses to save face! It might be bad for business in the short term, but I can assure you most people want the direct truth, up front, not kept in the dark only to find out the real reason later.  

I have struggled with this paradigm shift for the past 5 years or so, and even wrote another musing article months ago on my thoughts on the cloud in general, and how its not as marvelous as its portrayed.  These things and the way they are handled continue to erode our confidence and trust in these companies. Which is another reason I am a huge Open Source advocate.  

So in closing, I would simply say as I have in the past.  Think hard and plan on which services or part of your stack make the most sense to host in the cloud, and which ones are best onprem.  Think about the Pros and Cons and do the research on the platforms and vendors you and your customers will be place great trust in for stability and security.  After all you will be entrusting them with some of your most critical and important technology assets and messaging/communication systems, so chose wisely.

Till next time.

Dan