Cybersecurity Alert: 78% of Microsoft 365 Users Targeted by Account Takeover

In a stark reminder of the ever-changing landscape of cybersecurity, new research from Proofpoint exposes a worrying trend for Microsoft 365 users. It turns out, 78% of these users have been targeted by account takeover attempts. At the heart of these new-age attacks is a group of seemingly benign tools—HTTP clients like Axios—that are being weaponized in brute force campaigns, with some attacks boasting a daunting 43% success rate.

A Closer Look at the Attack Vectors​

The Role of HTTP Client Tools​

At their core, HTTP client tools are designed to make web requests by constructing HTTP requests, customizing headers, and processing server responses. Traditionally, these tools have been integral for legitimate data exchanges over the web. However, they have now become double-edged swords in the wrong hands. Attackers have repurposed tools such as Axios and Node Fetch to carry out sophisticated brute force attacks and password spraying campaigns against Microsoft 365 accounts.

• Axios: Known for its promise-based architecture, Axios offers capabilities that extend far beyond simple HTTP requests. Its flexibility allows attackers to intercept and transform traffic, making it a favored tool for sophisticated intrusions. When combined with Adversary-in-the-Middle (AitM) platforms like Evilginx, Axios-based attacks have been shown to bypass even robust multi-factor authentication (MFA) measures.
• Node Fetch: While Axios gets much of the spotlight, Node Fetch isn’t far behind. Used in large-scale brute force campaigns, Node Fetch has been implicated in generating enormous volumes of login attempts, averaging 66,000 daily in some sectors. Although its success rate may be lower compared to Axios, its sheer volume poses a significant threat.
• Go Resty: This client briefly emerged on the cyber-attack scene linked to Node Fetch operations. Although its use dwindled rapidly by October 2024, its brief foray underscores the evolving tactics of cybercriminals.

The Sophistication Behind the Success​

What makes these attacks particularly troublesome is not just the volume but also the operational sophistication behind them. Researchers from Proofpoint observed that the Axios client was not merely an off-the-shelf tool—it was being employed as part of a broader, highly coordinated campaign featuring:

• Distributed and High-Velocity Attacks: The campaigns involve multiples sources using varied HTTP clients in a distributed manner, thereby minimizing the chance of detection by traditional security systems.
• Targeted Operations: The attackers appear to operate predominantly during standard business hours, honing in on high-value targets such as executives and financial officers. This level of targeting makes these threats more damaging as they focus on critical roles with access to sensitive organizational data.
• Bypassing Modern Security Measures: Despite the implementation of advanced security features such as MFA, Axios attacks have managed to secure unauthorized access with an average monthly success rate of 38%. This raises questions about the evolving efficacy of our current security protocols.

What Does This Mean for Windows and Microsoft 365 Users?​

For Windows users who rely on Microsoft 365 for daily productivity, these findings are a wakeup call. As enterprises and individuals alike enhance their cybersecurity postures, it’s clear that conventional defenses are being challenged by attackers who continuously adapt their methods.

Key Takeaways for Mitigation:​

• Enhanced Monitoring and Detection: Organizations need to increase scrutiny of login patterns. Abrupt changes in access behaviors, especially during business hours, should raise immediate alerts.
• Layered Security Approaches: No single security measure is foolproof. Pairing MFA with additional verification steps, such as behavioral analytics and context-based authentication, can help reduce the risk of account takeovers.
• User Awareness and Training: Given that attackers initially validate user enumeration and then proceed with targeted phishing and password spraying, educating staff on recognizing suspicious activity is critical.
• Regular Security Audits: Frequent reviews and updates of security protocols—including examining the tools and methods used by adversaries—are vital in keeping defenses robust and relevant.

Broader Implications in Today’s Digital Economy​

This evolving threat is a microcosm of a larger trend in cybersecurity. The tools and techniques that cybercriminals employ are getting more sophisticated, often turning everyday software components into potent instruments of intrusion. In an ecosystem where cloud security and endpoint protection are constantly in flux, the lines between conventional and unconventional threats blur.
Windows users and IT administrators must therefore think like both defenders and attackers. Understanding not only the technical intricacies of HTTP clients but also the strategic purpose behind these attacks can empower organizations to build more resilient defenses.

Final Thoughts​

The Proofpoint study shines a spotlight on the emerging dangers that lurk even in the tools originally designed to enhance our digital experiences. As cyber adversaries refine their tactics to exploit every possible vulnerability—from Node Fetch to Axios—staying ahead of the curve becomes a relentless game of cat and mouse.
For Microsoft 365 users, the lesson is clear: Continuous vigilance, a proactive approach to security updates, and a willingness to adapt are the best defenses in a world where innovation in attack methods is the norm rather than the exception.
We invite you to share your thoughts and experiences on similar threats—how are you safeguarding your digital space against such evolving cyber risks?

---

Source: SecurityBrief Australia https://securitybrief.com.au/story/microsoft-365-users-face-rising-threat-from-axios-attacks/