Saturday, February 8, 2025
Homecyber securityCybercriminals Exploiting HTTP Client Tools to Hijack Microsoft 365 Accounts

Cybercriminals Exploiting HTTP Client Tools to Hijack Microsoft 365 Accounts

Published on

SIEM as a Service

Follow Us on Google News

A recent report by Proofpoint has revealed an alarming trend of cybercriminals exploiting HTTP client tools to target Microsoft 365 accounts.

These tools, originally designed for legitimate use, are now being repurposed for large-scale account takeover (ATO) attacks, employing tactics such as brute force login attempts and Adversary-in-the-Middle (AiTM) techniques.

With a growing reliance on HTTP clients like Axios and Node Fetch, these campaigns have demonstrated significant success rates, posing a critical threat to organizations globally.

High Success Rate of Axios in AiTM Attacks

One of the most concerning findings involves the Axios HTTP client, a popular tool for crafting HTTP requests in Node.js and browsers.

By integrating this client with reverse proxy platforms like Evilginx, attackers have successfully bypassed multifactor authentication (MFA) mechanisms, enabling account takeovers with an average success rate of 38%.

These attacks typically begin with phishing emails designed to steal credentials and MFA tokens.

Once compromised, attackers exploit Axios for precise targeting of Microsoft 365 login portals, and post-compromise actions include modifying mailbox rules, exfiltrating sensitive data, and creating malicious OAuth applications to maintain persistent access.

Analysis shows that these campaigns are well organized, focusing on high-value targets such as executives and financial officers.

Between June and November 2024, the Axios-based operation impacted 43% of targeted user accounts, successfully breaching over half of the organizations it targeted.

The Role of Node Fetch in Brute Force Campaigns

In parallel, attackers are using Node Fetch, an HTTP library for Node.js, to conduct brute force attacks.

Unlike Axios, Node Fetch is primarily employed for password spraying, leveraging its simplicity for large-scale automation.

Between June and December 2024, Proofpoint documented over 13 million login attempts using Node Fetch, averaging 66,000 unauthorized attempts daily.

Attackers rotated IP addresses frequently and targeted educational institutions, exploiting less-protected accounts to fuel spam campaigns or sell stolen credentials.

Despite the high attack volume, Node Fetch-based campaigns showed a lower success rate, impacting only 2% of targeted organizations.

However, the sheer scale of these attacks highlights the evolving threat landscape and the persistent efforts of cybercriminals to exploit HTTP client tools.

The adoption of HTTP clients like Axios and Node Fetch underscores a broader shift in attack methodologies.

With the ability to intercept, transform, and automate HTTP traffic, these tools provide attackers with potent capabilities to bypass traditional security measures.

The Proofpoint report also noted a recent but short-lived use of Go Resty, a Go-based HTTP client, indicating continuous adaptation in the tools and techniques deployed.

Organizations are advised to strengthen their defenses against such threats by implementing robust detection mechanisms, monitoring for malicious use of HTTP clients, and enhancing MFA configurations to resist AiTM techniques.

As attackers continue to refine their approaches, proactive measures and updated threat intelligence are crucial to mitigating the risks posed by these evolving attacks.

This growing reliance on repurposed HTTP clients signals the need for heightened vigilance and investment in cybersecurity solutions to combat emerging account takeover strategies.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...