According to Microsoft, Storm-1359 targeted Layer 7 of the OSI model (The Application Layer) rather than the more commonly targeted layer 4 (Transport) or Layer 3 (Network). As of this article, there is no evidence of any data theft or other indications of compromise on the services. It is not uncommon for an attacker to use a service disruption attack to hide more invasive operations so the lack of any additional IOC could indicate that disruption was the goal of the group in this instance. It does not mean that the group’s tactics will not change in the future though.
Storm-1359, like many disruption campaigns, appears to use a network of bots and compromised VPS (Virtual Private Servers) systems combined with open proxies. Nothing all that crazy in the world of DDoS campaigns making it an easy assumption for Microsoft to make at this stage. The types of attack used in this campaign were HTTP(S) Flood, Cache Bypass, and Slowloris. Each one of these types of attacks aims to overload the capacity of the servers hosting the service via different mechanisms. HTTP(S) Flood attacks send massive number of TLS/SSL handshake requests along with other HTTP(S) traffic to overload compute resources. Cache Bypass forces the server to ignore cached content send the data directly from the origin server again trying to exhaust compute resources. Slowloris tries to exhaust memory by requesting something from the server/service and either ignoring the request or accepting so slowly that is forces the server to keep the request in memory longer than needed.
DDoS attacks can be complicated to protect against when layer 3 or 4 are the target. It often becomes an arms race of resources and how quickly your equipment can identify and discard bad traffic. With a layer 7 attack the same applies just from a different angle. The use of properly configured Web Application Firewalls (with a decent reserve of compute power) can identify and limit incoming attacks like th ones used by Storm-1359. Rate limiting HTTP/HTTPS request, Botnet protections, Geo Fencing are all examples of good practices to limit the impact of this type of attack. For those that do not have an internal infrastructure (all cloud based), most cloud services do have a WAF option available. There are also several third party WAF resources available that can protect against DDoS and other front door attacks.
Stay Safe out there.