Detecting ‘fasthttp’ bruteforce attacks on Entra ID

In this blog post, I will explain how to detect brute force attacks using Kusto Query Language (KQL) in Microsoft Defender. I will provide a detailed KQL query to help identify suspicious login attempts that may indicate a brute force attack.

On January 13th, 2025, the SpearTip Security Operations Center, in collaboration with the Managed SaaS Alerts team, identified an emerging threat leveraging the fasthttp library. The fasthttp framework is being used to gain unauthorized access to accounts through brute-force login attempts and spamming MFA requests. The majority of the traffic associated with this threat originates from Brazil, with other source countries including Turkey, Argentina, Uzbekistan, Pakistan, and Iraq 1.

To detect fasthttp brute force attacks, we can use the Azure Active Directory Sign-in logs. The following KQL query is designed to identify failed login attempts using the fasthttp user agent. This query will help you detect potential brute force attacks by summarizing the failed login attempts and providing an overview of the IP addresses and countries involved.

// Define the time range for the query 
let startTime = ago(7 d);
let endTime = now();

// Define the threshold for failed login attempts 
let failedAttemptsThreshold = 1; 

// Filter the AADSignInEventsBeta table for fasthttp brute force attacks 
AADSignInEventsBeta 
| where Timestamp between (startTime .. endTime) 
| where UserAgent == "fasthttp" 
| where ErrorCode != "0" 
| summarize FailedAttempts = count()
  , IPAddresses = make_set(pack("IPAddress", IPAddress, "Country", Country)), 
    sLastPasswordChange = arg_max(LastPasswordChangeTimestamp, *) 
    by AccountDisplayName 
| where FailedAttempts >= failedAttemptsThreshold 
| project 
  AccountDisplayName
  , FailedAttempts
  , IPAddresses
  , LastPasswordChange
| order by AccountDisplayName desc

1. Time Range: The query looks at the last 7 days of sign-in events.
2. Threshold: It considers an account suspicious if it has 1 or more failed login attempts.
3. Filtering: The query filters the AADSignInEventsBeta table for events where the UserAgent is fasthttp and the ErrorCode indicates a failed login.
4. Aggregation: It counts the number of failed login attempts per user, creates a set of objects containing the IP address and country used for those attempts, and retrieves the last password change timestamp.
5. Projection: The query selects the account display name, the number of failed attempts, the set of IP addresses and countries, and the last password change timestamp.
6. Ordering: The results are sorted by the account display name in descending order.

Detecting fasthttp brute force attacks is crucial for maintaining the security of your Azure Active Directory accounts. By using the provided KQL query, you can identify and summarize failed login attempts, providing an overview of the IP addresses and countries involved. This information can help you take appropriate action to mitigate the threat and protect your accounts from unauthorized access.

1: fasthttp Used in New Bruteforce Campaign