Listen to this Post
2025-02-05
As cybercriminals become more sophisticated, they are increasingly utilizing legitimate tools to bypass traditional security mechanisms and execute more effective attacks. One of the most alarming trends in the cybersecurity landscape today is the rise in account takeover (ATO) attacks targeting Microsoft 365 environments. Hackers are leveraging popular HTTP client tools like Axios and Node Fetch, which were originally designed for legitimate purposes, to send malicious HTTP requests and bypass security measures.
In this article, we dive into the growing threat posed by these tools, their role in ATO attacks, and how organizations can protect themselves against such evolving threats.
In recent years, the tactics used by cybercriminals have evolved significantly. A growing number of attacks now leverage legitimate HTTP client tools such as Axios and Node Fetch to facilitate account takeover (ATO) campaigns. Initially sourced from public repositories like GitHub, these tools are now increasingly used in attacks like Adversary-in-the-Middle (AitM) and brute-force attacks, contributing to a surge in ATO incidents targeting Microsoft 365 environments.
The trend of using HTTP client tools for brute-force attacks has been observed since February 2018, with different client variants like OkHttp being used to target Microsoft 365 accounts. However, by March 2024, the scale of these attacks reached new heights, with 78% of Microsoft 365 tenants facing at least one ATO attempt by the second half of the year. May 2024 saw the peak of these attacks, with millions of hijacked residential IPs used to target cloud accounts.
The variety of HTTP clients used by attackers has also increased, with tools like Axios, Go Resty, Node Fetch, and Python Requests now being employed to carry out more targeted and efficient attacks. Axios, in particular, when paired with platforms like Evilginx, has been used to steal credentials and bypass multi-factor authentication (MFA) protections. These attacks have primarily targeted high-value individuals in sectors such as finance, healthcare, transportation, and IT, resulting in significant account compromises.
Between June and November 2024, over 51% of the targeted organizations experienced successful compromises, affecting 43% of the targeted user accounts. Additionally, a large-scale password spraying campaign using Node Fetch and Go Resty has resulted in millions of login attempts, primarily targeting education sector accounts, which are often less protected. These accounts are typically exploited for subsequent attacks or sold to other threat actors.
What Undercode Says:
The shift in how cybercriminals conduct ATO attacks, using legitimate tools such as Axios and Node Fetch, is concerning because it signals a new era of sophistication in hacking strategies. Traditionally, security defenses focused on detecting unusual traffic patterns or blocking known malicious tools. However, the use of legitimate, widely available tools makes these attacks harder to distinguish from normal traffic, presenting a significant challenge for defenders.
The growing complexity of these attacks is due to their use of Adversary-in-the-Middle (AitM) techniques, which involve intercepting and manipulating communications between users and web servers. AitM attacks are especially dangerous because they can bypass many common security measures, including multi-factor authentication (MFA). Tools like Axios can seamlessly integrate with these techniques, making it easier for attackers to steal credentials and MFA codes without raising suspicion.
Furthermore, the continued evolution of attack methods reflects the adaptability of threat actors. As defenders adapt to one method of attack, cybercriminals quickly switch to new tools and techniques, staying one step ahead. This makes it critical for organizations to adopt proactive, adaptive security measures that can detect and respond to emerging threats in real-time.
Another worrying aspect of these attacks is the impact on high-value targets, particularly executives and key personnel within organizations. The data stolen from these individuals can be highly valuable, often containing sensitive information that can be weaponized in various ways. In many cases, these attacks have been coupled with the creation of new mailbox rules to hide evidence of malicious activity, further complicating the detection and mitigation process.
Organizations must also be aware of the broader consequences of these attacks. With large-scale campaigns targeting user accounts, especially within the education sector, there is an increased risk of credential theft and misuse. These compromised accounts can be used as stepping stones for future attacks, often through phishing campaigns or by selling credentials to other malicious actors.
In conclusion, the rise of legitimate HTTP client tools being used for malicious purposes highlights a growing threat landscape. Organizations need to adopt a more comprehensive security strategy that includes continuous monitoring, adaptive defense mechanisms, and user education. By staying informed and proactive, organizations can better mitigate the risks posed by these evolving threats.
References:
Reported By: https://thehackernews.com/2025/02/cybercriminals-use-axios-and-node-fetch.html
https://www.linkedin.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
