Summary:
Cybercriminals are increasingly leveraging legitimate HTTP client tools, such as Axios and Node Fetch, to facilitate account takeover attacks on Microsoft 365 environments. According to enterprise security company Proofpoint, these tools, often sourced from public repositories like GitHub, are being repurposed for sophisticated attack techniques, including Adversary-in-the-Middle and brute-force tactics. This shift has led to a surge in ATO incidents, posing a growing threat to organizations relying on cloud-based authentication The trend of using HTTP client tools for brute-force attacks has been observed since at least February 2018, with early campaigns relying on OkHttp clients to target Microsoft 365 environments. By early 2024, this tactic had evolved, with a wider range of HTTP clients being utilized in attacks. Proofpoint reported that by March 2024, 78% of Microsoft 365 tenants had been targeted by at least one ATO attempt, highlighting the widespread nature of these campaigns. The attacks reached a peak in May 2024, leveraging millions of hijacked residential IPs to conduct large-scale credential theft and authentication bypass efforts.

The emergence of HTTP clients such as Axios, Go Resty, Node Fetch, and Python Requests has facilitated more targeted and effective intrusions, particularly when combined with AitM techniques. These tools allow attackers to bypass multi-factor authentication (MFA) defenses by intercepting authentication tokens in real-time. Axios, specifically designed for Node.js and browsers, has been observed in campaigns leveraging Evilginx, an AitM platform, to steal credentials and session cookies, granting attackers persistent access to compromised accounts. Once inside a network, cybercriminals establish persistence by setting up new mailbox rules to hide their activities, exfiltrating sensitive data, and registering malicious OAuth applications with excessive permission scopes. This approach enables long-term access to compromised environments, allowing threat actors to maintain control over affected accounts even after password resets or MFA reconfigurations. The Axios campaign primarily targeted high-value individuals such as executives, financial officers, account managers, and operational staff across multiple industries, including transportation, construction, finance, IT, and healthcare. Between June and November 2024, over 51% of targeted organizations were successfully compromised, impacting 43% of affected user accounts.

Security Officer Comments:
In parallel, a large-scale password spraying campaign using Node Fetch and Go Resty clients has been detected, recording at least 13 million login attempts since June 9, 2024. On average, these campaigns generated over 66,000 malicious login attempts per day. While the overall success rate of these brute-force efforts remained low, affecting only 2% of targeted entities, the scale of the operation underscores its potential impact. The education sector, particularly student user accounts, was disproportionately affected, as these accounts often lack strong security controls. Compromised student accounts could then be repurposed for further malicious campaigns or sold on underground forums to other threat actors.


Suggested Corrections:
Proofpoint warns that cybercriminals are continuously refining their methods, leveraging an ever-evolving array of HTTP client tools to exploit APIs and manipulate authentication mechanisms. These tools offer significant advantages in scalability and automation, making ATO attacks more efficient and harder to detect. Given this trend, attackers are expected to continue shifting tactics, adopting new HTTP client tools, and refining their techniques to stay ahead of security defenses. Proofpoint recommends combining the following observed user-agents with additional confidence boosters, indicators and threat intel to inform accurate detections.

https://www.proofpoint.com/us/blog/...t-tools-exploitation-account-takeover-attacks

Link(s):
https://thehackernews.com/2025/02/cybercriminals-use-axios-and-node-fetch.html