Bluesky Confirms Sophisticated DDoS Attack Behind Persistent App and Website Outages

Bluesky, the decentralized social network, has publicly confirmed that a sophisticated Bluesky DDoS attack is the root cause of the ongoing service interruptions that have plagued its platform since mid-April. Chief operating officer Rose Wang initially attributed the problems to a cyberattack, and the company later clarified that a Distributed Denial-of-Service (DDoS) assault began on April 15 at around 8:40 p.m. ET. This revelation has left many users frustrated as intermittent outages continue to disrupt feeds, notifications, and search functions.

As of Friday, the platform is still struggling to fully restore normal operations. The company posted on its official Bluesky account that the attack is “impacting our operations, with users experiencing intermittent interruptions in service for their feeds, notifications, threads, and search.” However, Bluesky has assured users that there is no evidence of unauthorized access to private data. For those seeking updates, the status.bsky.app page has been unreliable, often failing to load itself.

What Is a DDoS Attack and How Does It Affect Bluesky?

A Distributed Denial-of-Service (DDoS) attack involves flooding an app or website with massive amounts of junk traffic, effectively overloading servers and knocking them offline. This type of cyberattack does not involve breaching internal systems or stealing data, but it can be highly disruptive. In Bluesky’s case, the attack has caused the site and app to load slowly at times or display error messages like “This feed is currently receiving high traffic and is temporarily unavailable. Please try again later. Message from server: Rate Limit Exceeded.”

Popular feeds such as Discover and the official Bluesky Team feed are particularly affected, even when users’ personal feeds remain functional. Additionally, attempting to view a user’s profile often results in an error, forcing repeated refreshes. Bluesky protocol engineer Bryan Newbold noted the severity early on, posting around 3:46 a.m. ET on Wednesday, “oof, our services are getting hit pretty hard tonight.”

Impact on Users and the Broader Decentralized Ecosystem

The Bluesky outage has not only frustrated regular users but also sparked a notable shift within the decentralized social network ecosystem. Communities like Blacksky, which run their own infrastructure on the underlying AT Protocol, have remained functional. Blacksky’s team reported a “significant spike” in migration requests from Bluesky users over the past 12 hours, as alternatives like Eurosky and other ATmosphere founders promoted their services. This demonstrates how a major Bluesky DDoS attack can accelerate user movement within the decentralized web.

For many users, the intermittent nature of the outages adds to the frustration. One moment the app loads, albeit slowly; the next, it displays error messages. The company has not provided a definitive timeline for a fix, though it promised an update by 1 p.m. ET on Friday. Meanwhile, the status page itself has been unreliable, with a typo visible in one message: “investigating an incident with service in one of our reginos [sic].” This suggests the team is operating under significant pressure.

Bluesky’s Response and Mitigation Efforts

Bluesky’s team worked through the night to mitigate the attack, but it intensified throughout the day. The company has been transparent about the cause, but the lack of a rapid resolution has tested user patience. As of now, the best advice for users is to check Bluesky’s status page for updates, though it may not always be accessible. For those considering alternatives, the decentralized nature of the AT Protocol means other services like Blacksky remain operational, offering a temporary refuge.

This incident highlights the vulnerabilities even in modern, decentralized platforms. While DDoS attacks are not new, their sophistication continues to evolve. Bluesky’s experience serves as a reminder of the importance of robust cybersecurity measures and backup infrastructure. For more on how social media platforms handle cyber threats, read our guide on securing your social media accounts.

What’s Next for Bluesky?

Building on the current situation, Bluesky must prioritize restoring full service and preventing future attacks. The company has not indicated whether it will implement additional protections, but the incident underscores the need for scalable defenses. As users explore alternatives, Bluesky’s ability to recover quickly will be crucial for retaining its community. The decentralized social network model offers resilience, but as this Bluesky DDoS attack shows, no platform is immune to disruption.

In the meantime, affected users can follow alternative decentralized platforms that are still functioning. The team at Bluesky continues to work on mitigation, and we will update this story as more information becomes available.

FISA Section 702 Nears Expiry: Lawmakers Clash Over Americans’ Privacy vs. Surveillance Powers

A critical U.S. surveillance law, known as FISA Section 702, is set to expire next week, throwing Congress into a fierce debate over national security and the privacy rights of Americans. This law has long allowed intelligence agencies like the NSA and FBI to collect overseas communications without warrants—but it also sweeps up data on countless U.S. citizens.

As the April 20 deadline looms, a bipartisan group of lawmakers is pushing for major reforms to end warrantless surveillance of Americans. Meanwhile, the Trump administration and some Republicans want a simple extension without changes. The outcome will shape how the government monitors communications for years to come.

What Is FISA Section 702 and Why Does It Matter?

FISA Section 702 permits U.S. intelligence agencies to intercept foreign communications flowing through American networks. However, this bulk collection inevitably captures emails, phone logs, and other data from Americans who communicate with people overseas—all without a search warrant.

Privacy advocates argue that this practice violates the Fourth Amendment, which protects against unreasonable searches. The American Civil Liberties Union and other groups have long condemned the program as an overreach that infringes on civil liberties.

Lawmakers Divided Over Reauthorization and Reforms

On one side, the White House and some House Republicans favor a clean reauthorization of FISA Section 702, arguing it is essential for counterterrorism and foreign intelligence. President Trump recently signaled support for extending the law without amendments.

On the other side, a bipartisan coalition led by Senators Ron Wyden and Mike Lee introduced the Government Surveillance Reform Act. This bill aims to close the controversial “backdoor search” loophole, which allows agencies to search Americans’ communications without a warrant. It also seeks to ban the government from buying location data from data brokers—a practice FBI Director Kash Patel confirmed in a March hearing.

“Many lawmakers aren’t aware that multiple administrations have relied on a secret interpretation of Section 702 that directly affects Americans’ privacy,” Wyden warned. He has urged the government to declassify this information.

Representative Thomas Massie echoed these concerns after reviewing classified FISA documents, stating he would vote against reauthorization. “The Constitution requires I vote No,” he posted on X.

What Happens If FISA Section 702 Expires?

Even if the law expires on April 20, surveillance may not stop immediately. A legal quirk allows the Foreign Intelligence Surveillance Court to certify the government’s practices annually, effectively extending surveillance until March 2027 unless Congress actively intervenes.

Additionally, the government operates under Executive Order 12333, a secret presidential directive that governs much of the surveillance outside the U.S. and also captures Americans’ communications. This means privacy protections remain fragile regardless of Section 702’s fate.

Privacy Reforms Gain Momentum Amid Tech Advances

The debate comes as technology makes surveillance easier than ever. App developers collect vast amounts of location data, selling it to brokers who then supply governments. Both Republicans and Democrats reportedly want to close this loophole, which also complicates negotiations with AI companies like Anthropic and OpenAI.

Privacy groups including the Electronic Privacy Information Center and the Project on Government Oversight support the reform bill. However, its passage remains uncertain as Congress faces a tight deadline.

For more on how surveillance laws impact your digital life, check out our guide on protecting your privacy online. To understand the history of FISA, read our explainer on the Foreign Intelligence Surveillance Act.

In the end, the fight over FISA Section 702 is a battle between security and liberty. As lawmakers debate, Americans must ask: How much privacy are we willing to trade for safety?

Mailbox Rule Abuse: The Stealthy Post-Compromise Threat in Microsoft 365

Imagine an attacker quietly controlling your email inbox—deleting security alerts, forwarding sensitive messages, and hiding all traces of their activity. This is not a far-fetched scenario. Security researchers have uncovered a significant rise in mailbox rule abuse within Microsoft 365 environments, where cybercriminals leverage native email features to maintain access, exfiltrate data, and manipulate communications after compromising an account.

According to findings from Proofpoint, approximately 10% of breached accounts in Q4 2025 had malicious mailbox rules created within seconds of initial access. These rules often use minimal or nonsensical names, making them easy to overlook. They are designed to delete emails or move them into rarely monitored folders like Archive or RSS Subscriptions, allowing attackers to operate under the radar.

How Attackers Exploit Microsoft 365 Mailbox Rules

Mailbox rules provide attackers with a powerful combination of automation and stealth. Once inside an account, they can silently control email flow while avoiding detection. By suppressing or redirecting messages, attackers reshape what victims see in their inbox, allowing fraudulent activity to continue unnoticed.

Common attacker objectives include:

• Forwarding sensitive emails to external accounts for data theft
• Hiding security alerts, password resets, and suspicious activity
• Intercepting and manipulating ongoing email conversations
• Maintaining access even after password changes

In practice, these tactics enable attackers to impersonate victims, hijack communication threads, and influence business transactions without triggering traditional security alerts. This form of mailbox rule abuse is particularly dangerous because it leverages legitimate functionality, making it hard for standard defenses to detect.

Real-World Impact and Persistence Risks

Several scenarios illustrate how mailbox rule abuse plays out in real attacks. In one case observed by Proofpoint, attackers targeted payroll processes by launching internal phishing emails from a compromised account, while rules were created to hide replies and warnings. This ensured the activity remained largely invisible to the victim.

In another example, attackers combined mailbox rules with third-party email services and domain spoofing to intercept vendor communications and insert fraudulent payment requests into existing threads. These tactics are classic signs of business email compromise (BEC) attacks, which continue to plague organizations worldwide.

University environments have also been affected. Attackers frequently deploy blanket rules that delete or hide all incoming messages, isolating the mailbox and enabling large-scale spam campaigns without user awareness. One of the most concerning aspects is persistence: malicious forwarding and suppression rules can remain active even after credentials are reset, allowing continued data exposure.

Building on this, researchers note that automation tools now enable attackers to deploy these rules across multiple accounts at scale, turning a simple feature into a powerful and difficult-to-detect attack method. This means that even organizations with robust security measures can fall victim to mailbox rule abuse if they do not monitor for such activity.

Defending Against Mailbox Rule Abuse

To defend against similar threats, Proofpoint suggests that organizations disable external auto-forwarding, enforce strong access controls including multi-factor authentication (MFA), and closely monitor OAuth activity. Ensuring rapid response by removing malicious rules, revoking sessions, and auditing account activity is also recommended.

For more insights on protecting your organization, check out our guide on business email compromise prevention and learn about Microsoft 365 security best practices.

In conclusion, mailbox rule abuse represents a stealthy post-compromise threat that every organization using Microsoft 365 should take seriously. By understanding how attackers exploit these features and implementing proactive defenses, you can reduce the risk of data breaches and financial losses.