Cybercriminals are increasingly utilizing legitimate HTTP client tools to perpetrate account takeover (ATO) attacks targeting Microsoft 365 environments.

According to recent research, 78% of Microsoft 365 tenants have encountered at least one ATO attempt in 2024 involving a distinct HTTP client tool. This represents a 7% increase in such attacks compared to the previous half-year period.

Evolution of HTTP-Based Attacks

Researchers have observed a growing trend where attackers repurpose readily available HTTP client tools, initially designed for web development and automation, for malicious purposes. These tools are now being employed for brute-force attacks and adversary-in-the-middle (AiTM) techniques.

In 2018, malicious actors operated an uncommon OkHttp client version (okhttp/3.2.0) in a persistent campaign that spanned nearly four years. By 2021, the attack peaked at tens of thousands of monthly incidents, although it later declined. As of early 2024, newer HTTP clients, such as python-request and Axios, have gained prominence.

For further reading on HTTP-based security threats, visit HTTP/S DDoS Attacks Soar 487% in Three Years.

Axios HTTP Client High Success Rates

A particularly effective recent strategy involves the Axios HTTP client, which incorporates AiTM techniques to circumvent multi-factor authentication (MFA). Axios-based attacks report a 43% success rate, which is substantially higher than conventional brute-force methods.

Key Attack Steps

  • Credential theft: Utilizes email phishing and reverse proxy tools.
  • Account takeover: Employs stolen credentials and MFA tokens.
  • Post-compromise actions: Modifies mailbox rules, exfiltrates data, and registers OAuth applications for ongoing access.

Node Fetch and Large-Scale Brute-Force Attacks

Another attack method uses the Node Fetch client to execute brute-force password spraying cyberattacks. Since June 2024, this strategy has generated over 13 million login attempts, averaging around 66,000 per day. Despite its scale, the success rate remains low at approximately 2%.

These attacks predominantly target student accounts within the education sector, which often have relatively weaker security measures. As of mid-2024, over 3,000 organizations and 178,000 user accounts have been targeted.

The link has been copied!