Cybercriminals are increasingly using legitimate HTTP client tools to launch account takeover ( ATO ) attacks on Microsoft 365 environments.
In order to carry out ATO attacks, business security firm Proofpoint reported it observed promotions using HTTP clients Axios and Node Fetch to give HTTP requests and get HTTP responses from internet servers.
” Originally sourced from public repositories like Git Hub, these tools are increasingly used in attacks like Adversary-in-the-Middle ( AitM ) and brute force techniques, leading to numerous account takeover ( ATO ) incidents”, security researcher Anna Akselevich .
Since at least February 2018, there has been a long-standing pattern of using HTTP client resources for brute-force attacks, with at least one iteration using different versions of OkHttp customers to pin Microsoft 365 environments at least until early 2024.
However, Proofpoint reported that a number of HTTP customers were gaining traction by March 2024, with the problems escalating to a new high, with 78 % of Microsoft 365 residents already being targeted by an ATO attempt by the second quarter of last year.
” In May 2024, these problems peaked, leveraging thousands of stolen personal IPs to target sky accounts”, Akselevich said.
The rise of HTTP clients like Axios, Get Resty, Node Fetch, and Python Requests, which combine precision targeting with AitM techniques, showing the quantity and variety of these assault attempts.
Politico, per Proofpoint, is designed for Node. Js and web sites can be used in conjunction with AitM programs like Evilginx to prevent the theft of qualifications and Username codes.
The threat actors have also been spotted setting up new mailbox regulations to conceal evidence of destructive activity, stealing sensitive data, and even registering a new OAuth application with extreme permission scopes to establish frequent remote access to the affected environment.
The Axios campaign is said to have primarily singled out high-value targets like executives, financial officers, account managers, and operational staff across transportation, construction, finance, IT, and healthcare verticals.
Over 51 % of the targeted organizations have been deemed to have experienced success between June and November 2024, compromising 43 % of the targeted user accounts.
The cybersecurity firm reported that Node Fetch and Go Resty clients have been the target of a significant-scale password spraying campaign, which has recorded more than 13 million login attempts since June 9th, 2024, on average, more than 66, 000 malicious attempts per day. The success rate, however, remained low, affecting only 2 % of targeted entities.
More than 178, 000 targeted user accounts from 3, 000 different organizations have been identified to date, the majority of which are in the education sector, with the majority of them coming from under-represented students, who are less likely to be protected and capable of being used for campaigns or being sold to various threat actors.
The tools used by attackers to launch ATO attacks have greatly evolved, according to Akselevich, with a number of HTTP client tools being used to evade APIs and make HTTP requests. ” These tools offer distinct advantages, making attacks more efficient”.
Given this pattern, attackers are likely to keep switching between HTTP client tools, changing tactics to use new technologies and avoiding detection, reflecting a more general pattern of constant evolution to enhance their effectiveness and reduce exposure.