FastHHTP hackers are targeting Microsoft 365 passwords.
As Microsoft users recover from news that three Windows zero-day vulnerabilities have been actively exploited and there has been an increase in Russian cyber espionage attacks against Windows users, there is more bad news for account holders of Microsoft 365. Newly published research has warned that Microsoft 365 accounts have been targeted by hackers using a brute-force password attack methodology at high speed high. Here’s what you need to know.
Microsoft 365 account passwords targeted in high-speed FastHTTP attacks
An emerging hacking campaign that uses the high-performance FastHTTP server and client library for the Go programming language was identified by researchers from the SpearTip Security Operations Center on January 13. The researchers said it appears that the FastHTTP framework “is being used to gain unauthorized access to accounts through brute-force login attempts and spam multi-factor authentication requests.” Data analyzed from a large set of Microsoft 365 tenants, SpearTip researchers Djurre Hoeksema, James Rigdon and Benjamin Jones, said, showing that FastHHTP “was first observed as a user agent on January 6, 2025.” confirmed that all observed attempts targeted the Azure Active Directory Graph API Hacker traffic originated mainly from Brazil, accounting for 65% of the total, with attackers e remaining from Argentina, Iraq, Pakistan, Turkey and Uzbekistan.
The discovery that hackers are using the FastHTTP Go library to perform high-speed brute force password attacks against Microsoft 365 accounts is “a stark reminder of the evolving tactics used by cybercriminals,” said Roei Sherman, chief technology officer in the field in Mitiga. “This alarming trend underscores the urgency for organizations to enhance their cybersecurity protocols and adopt stronger safeguards.” FastHTTP offers a distinct advantage to attackers, Sherman warned, “intending to compromise accounts through brute force methods by rapidly iterating through multiple password combinations.” As the report states, these persistent attacks are not only widespread, but also capable of bypassing traditional layers of security, often leading to successful account takeovers.
Mitigating the Risk of FastHTTP Hacking of Microsoft 365 Account Brute-Force
SpearTip researchers said it is possible to quickly check for potential indicators of compromise from the FastHTTP brute-force attack by reviewing Entra ID login logs through the Azure Portal.
- Sign in to the Azure Portal.
- Navigate to Microsoft Entra ID → Users → Login Logs.
- Apply the filter client application: “Other clients”.
- While this filter may return false positives, the “User Agent” field under Basic Information in the logs can be reviewed to confirm the user agent will be “fasthttp”.
Sherman, meanwhile, said that for those using Microsoft 365, some mitigating precautions included:
- Adopt multi-factor authentication.
- Strengthen password policies.
- Monitor login activity.
- Educate employees.
- Use account lockout policies.
I’ve reached out to Go and Microsoft for a statement about FastHTTP brute force Microsoft 365 password attacks.
