Cybercriminals are increasingly leveraging legitimate HTTP client tools to orchestrate large-scale account takeover (ATO) attacks on Microsoft 365 environments, putting businesses at significant risk.
Growing Trend: HTTP Client Tools in Cyberattacks
According to enterprise security firm Proofpoint, attackers have been deploying HTTP clients such as Axios and Node Fetch to initiate and execute ATO attacks by sending and receiving HTTP requests. These tools, originally sourced from public repositories like GitHub, are now being exploited for advanced cyberattack techniques, including Adversary-in-the-Middle (AitM) and brute force tactics.
"These HTTP clients have become instrumental in modern cyber threats, particularly in account takeover incidents where attackers compromise login credentials," security researcher Anna Akselevich stated.
Evolution of HTTP Client-Based Brute-Force Attacks
The use of HTTP clients for brute-force attacks has been documented since at least February 2018. Initially, threat actors relied on OkHttp clients to target Microsoft 365, but by early 2024, attackers diversified their toolkit. By March 2024, Proofpoint observed a surge in HTTP client usage, with nearly 78% of Microsoft 365 tenants targeted at least once in an ATO attempt.
Massive Surge in Attacks
In May 2024, the attacks reached a peak, with cybercriminals leveraging millions of hijacked residential IPs to infiltrate cloud accounts. The scale of these attacks is reflected in the increasing reliance on HTTP clients such as Axios, Go Resty, Node Fetch, and Python Requests. These tools, combined with AitM tactics, significantly improved compromise rates.
Axios, a popular HTTP client for Node.js and browsers, has been weaponized alongside AitM phishing frameworks like Evilginx to intercept credentials and multi-factor authentication (MFA) codes.
Tactics for Concealment and Persistence
Once inside a compromised environment, cybercriminals:
Set up new mailbox rules to hide traces of their activity.
Exfiltrate sensitive data from high-value targets.
Register new OAuth applications with excessive permissions to maintain persistent access.
Executives, financial officers, account managers, and operational staff across industries such as transportation, construction, finance, IT, and healthcare have been prime targets. Over 51% of targeted organizations suffered successful breaches between June and November 2024, leading to the compromise of 43% of targeted user accounts.
Massive Password Spraying Campaign Using Go Resty and Node Fetch
Proofpoint also uncovered a large-scale password spraying operation utilizing Node Fetch and Go Resty, registering no fewer than 13 million login attempts since June 9, 2024—averaging 66,000 attacks per day. While the success rate remained low, it still impacted 2% of targeted entities.
To date, over 178,000 targeted user accounts across 3,000 organizations have been identified. The majority of these compromised accounts belong to the education sector, particularly student accounts, which often have weaker security protections and are valuable for further cybercriminal operations.
Constant Evolution of Attack Strategies
"Threat actors continuously adapt their attack strategies by switching between different HTTP client tools, optimizing their methods to evade detection," Akselevich noted.
As these tools provide a streamlined way to exploit APIs and execute HTTP requests, cybersecurity professionals must stay ahead by implementing robust defense mechanisms. Organizations should prioritize:
Strengthening MFA enforcement to mitigate credential theft.
Monitoring for suspicious OAuth app registrations to detect unauthorized access.
Enhancing cloud security postures to identify and block malicious HTTP request patterns.
With cybercriminals refining their techniques, proactive cybersecurity measures are critical in safeguarding Microsoft 365 environments from ATO attacks.
