Microsoft 365 users face rising threat from Axios attacks

Research conducted by Proofpoint has revealed that 78% of Microsoft 365 users have been subjected to account takeover attempts using a distinct HTTP client.

HTTP client tools are employed by attackers to execute brute force attacks, which traditionally have low success rates. However, a recent campaign involving the HTTP client Axios had a significantly higher success rate, compromising 43% of targeted user accounts. Researchers at Proofpoint have highlighted this campaign's use of a high-velocity, distributed access approach via the Node Fetch client.

HTTP client tools are used to send and receive HTTP requests and responses from web servers, facilitating user operations like crafting requests, customising headers, and inspecting server responses. Attackers have increasingly repurposed legitimate HTTP client tools to compromise Microsoft 365 environments, utilising strategies such as Adversary-in-the-Middle (AitM) techniques and brute force methods.

Since February 2018, Proofpoint has observed the attack evolution using tools like the OkHttp client and Axios, revealing sophisticated attack chains beyond initial brute force methods. These strategies have evolved over time, initially using user enumeration to validate email addresses before proceeding with phishing and password spraying attacks.

By 2021, earlier attack methods involving OkHttp had declined significantly, indicating changing tactics among threat actors. More recently, from early 2024, a wider variety of HTTP clients have been utilised in attacks. Brute force attempts have still persisted, with 78% of organisations experiencing an account takeover attempt in the latter half of 2024.

The Axios client, notable for its promise-based HTTP nature, supports traffic interception and transformation, facilitating unauthorised access when combined with AitM platforms like Evilginx. Attacks using Axios have overcome modern security measures, including multi-factor authentication, achieving an average monthly success rate of 38%.

Proofpoint's analysis shows that campaigns using Axios predominantly operate during standard business hours, targeting specific roles such as executives and financial officers. By late 2024, over 51% of targeted organisations were affected, compromising 43% of targeted user accounts.

Complementarily, Node Fetch has been used in crude brute force campaigns, primarily focusing on password spraying and employing extensive operational infrastructure to avoid detection. As of June 2024, these attacks have involved over 13 million login attempts across more than 3,000 organisations, mainly within the education sector.

Node Fetch-based campaigns exhibited considerable volume fluctuations from June to December 2024, averaging 66,000 attempts daily, though only 2% of targeted organisations were impacted.

The diversity in attack tools has continued with the August 2024 emergence of attacks involving Go Resty, which appeared linked to Node Fetch operations. However, attacks using Go Resty ceased by October 2024, although Node Fetch attacks persist.

Proofpoint researchers predict that attackers will continue to adapt their techniques, switching between different HTTP client tools to exploit new technological advantages and improve evasion capabilities. This evolution reflects a broader pattern of consistent innovation among cybercriminals to enhance the efficiency of attacks while minimising exposure.