Summary: A sophisticated cyber campaign has been identified utilizing the fasthttp library to conduct brute-force login attempts and spam multi-factor authentication (MFA) requests targeting Azure Active Directory environments. The campaign, which began showing signs on January 6, 2025, is primarily driven by malicious traffic from Brazil and aims to overwhelm security mechanisms to gain unauthorized access to user accounts. SpearTip recommends monitoring Entra ID sign-in logs and taking immediate action if compromised accounts are confirmed.
Threat Actor: Unknown | unknown
Victim: Azure Active Directory | Azure Active Directory
Keypoints :
- Attackers are exploiting the fasthttp library for brute-force login attempts and MFA spamming.
- 65% of malicious traffic originates from Brazil, with additional contributions from Turkey, Argentina, Uzbekistan, Pakistan, and Iraq.
- Recommendations include monitoring logs for the fasthttp user agent and taking immediate action if accounts are compromised.