In a concerning development, cybercriminals are increasingly leveraging legitimate HTTP client tools to infiltrate Microsoft 365 accounts, according to a recent report by Proofpoint.
These tools, originally designed for legitimate purposes like data retrieval and API testing, are being repurposed in sophisticated account takeover (ATO) campaigns.
Threat actors are deploying strategies such as brute-force attacks and Adversary-in-the-Middle (AiTM) techniques, leading to substantial security breaches across organizations worldwide.
Preferred Tools for Precision and Scale
Proofpoint researchers have highlighted two dominant tools Axios and Node Fetch that are being weaponized.
Axios, a promise-based HTTP client for Node.js, has been found to facilitate high-success AiTM attacks by intercepting multifactor authentication (MFA) tokens.
In a recent campaign, Axios was used to compromise 43% of targeted accounts by combining phishing with advanced reverse proxy techniques to extract credentials and session tokens.
Targeted attacks using Axios also employ tactics like mailbox rule creation, data exfiltration, and OAuth app registration to establish long-term control over compromised accounts.
.webp)
In contrast, Node Fetch is employed for large-scale brute-force attacks, such as password spraying.
Its lightweight nature allows attackers to automate massive login attempts, often using hijacked residential IP addresses to evade detection mechanisms.
Between June and December 2024, Proofpoint recorded over 13 million malicious login attempts involving Node Fetch, impacting approximately 2% of targeted organizations.
Evolving Threat Landscape
While earlier campaigns relied heavily on tools like the OkHttp HTTP client, attackers have diversified their arsenal to include newer options such as Go Resty and Python Requests.
This shift allows threat actors to bypass detection systems and adapt to modern security measures.
In 2024 alone, 78% of Microsoft 365 tenants experienced at least one ATO attempt involving HTTP clients, with high-value roles like C-level executives and financial officers being prime targets.
The repercussions of these attacks are far-reaching. Beyond unauthorized account access, attackers exploit compromised accounts to manipulate financial transactions, steal sensitive data, and distribute malware.
Educational institutions, IT firms, and healthcare organizations are among the sectors most affected, with attackers prioritizing accounts that provide access to valuable resources.
As threat actors continue to refine their tactics, Proofpoint recommends heightened vigilance and proactive defenses.
Organizations should augment their security measures by monitoring for HTTP client-specific user agents and other indicators of compromise.
Advanced behavioral analysis, in conjunction with robust MFA and zero-trust architectures, is essential to mitigate the rising tide of HTTP client-based ATO campaigns.
This escalating trend serves as a stark reminder of the adaptability of cyber adversaries and the critical need for organizations to remain agile in their cybersecurity strategies.
