
Recent findings from Proofpoint reveal a significant surge in cybercriminals utilizing legitimate HTTP client tools to execute account takeover (ATO) attacks targeting Microsoft 365 environments. The attacks primarily employ tools like Axios and Node Fetch to conduct sophisticated HTTP-based operations.
Key Developments:
– 78% of Microsoft 365 tenants experienced at least one ATO attempt in late 2023
– Attack peak occurred in May 2024, utilizing millions of hijacked residential IPs
– Popular tools include Axios, Go Resty, Node Fetch, and Python Requests
The Axios Campaign:
– Targeted high-value individuals across transportation, construction, finance, IT, and healthcare sectors
– 51% of targeted organizations compromised between June-November 2024
– 43% of targeted user accounts successfully breached
– Attackers established mailbox rules and OAuth applications for persistent access
Large-Scale Password Spraying:
– 13 million login attempts recorded since June 2024
– Average of 66,000 daily malicious attempts
– Affected 178,000 user accounts across 3,000 organizations
– Education sector particularly vulnerable, with student accounts being primary targets
The evolution of these attacks demonstrates increasing sophistication in cybercriminal tactics, with threat actors continuously adapting their methods to enhance effectiveness and evade detection. The combination of precision targeting and Adversary-in-the-Middle (AitM) techniques has proven particularly successful in compromising cloud-based accounts.