Threat Overview

SpearTip has published a report detailing a new brute-force campaign leveraging the fasthttp library to gain unauthorized access to accounts. The campaign targets Azure Active Directory Graph API, resulting in a high volume of authentication failures, account lockouts, and conditional access violations.

Campaign Details

* Target: Azure Active Directory Graph API

* Duration: Ongoing since January 6th, 2025

* Origin: Significant traffic from Brazil

* fasthttp User Agent: Observed in Entra ID sign-in logs under “Other Clients“\

Recommendations

Based on the threat report, the following recommendations are made to mitigate the risks associated with this campaign:

* Monitor Entra ID sign-in logs for thefasthttp user agent.

* Upon investigation of successful authentications or failed MFA/conditional access cases where credentials were correct,simply take these actions:

1. Expire user sessions.

2. Reset user credentials.

3. Review MFA devices associated with potentially compromised users.

* Further investigate ASN providers and IP addresses listed in the report for potential affiliation with the campaign

External References

Full report can be accessed via:

https://www.speartip.com/fasthttp-used-in-new-bruteforce-campaign/