Attackers Exploit Axios for Automated Phishing Attacks

ReliaQuest observed a 241% surge in activity using the Axios user agent between June and August 2025, with campaigns pairing Axios and Microsoft Direct Send achieving up to a 70% credential-theft success rate and broadening from high-profile targets to everyday users. The report highlights abuse of Axios for automating phishing, MFA/session token interception, and API exploitation—often delivered via QR-coded phishing and short-lived domains like .es and Firebase links—calling for tightened Direct Send controls and enhanced detection. #Axios #DirectSend

Keypoints

Axios user-agent activity surged 241% from June to August 2025, representing 24.44% of flagged user-agent activity and making it ten times more common than any other flagged user agent.
Campaigns combining Axios with Microsoft Direct Send achieved a 70% success rate in recent incidents and a 58% overall success rate over three months versus 9.3% for non-Axios campaigns.
Attackers used Axios to automate phishing workflows that capture session tokens, MFA codes, and exploit SAS tokens (Azure), enabling account takeovers and API access.
Phishing delivery frequently used QR codes embedded in PDFs and short-lived .es domains or Firebase-hosted links to bypass email defenses and reputation filters.
Direct Send is trusted by many email security tools, allowing attacker-sent messages to bypass reputation-based filtering when paired with Axios automation.
ReliaQuest recommends disabling or securing Direct Send, enforcing anti-spoofing (SPF/DKIM/DMARC), blocking uncommon TLDs, user training, and deploying updated detection/playbooks.
Recommended incident playbooks include blocking malicious CIDR ranges (e.g., 185.168.208.0/24), resetting passwords, and disabling compromised accounts to contain Axios/Direct Send abuse.

MITRE Techniques

[T1078] Valid Accounts – Attackers stole credentials and used them for account takeover, described as “70% of incidents leveraging Axios and Direct Send resulted in credentials being stolen successfully.”
[T1110] Brute Force – Automated credential harvesting and subsequent automated cracking/brute forcing is implied by “automation-driven brute forcing and credential harvesting” used after compromises.
[T1113] Screen Capture – QR-code-driven phishing and PDF attachments were used to capture user interaction and credentials, referenced as “malicious QR codes embedded into PDF attachments” leading victims to phishing portals.
[T1556] Modify Authentication Process – Axios was used to intercept and replay authentication tokens and MFA codes: “…Axios let attackers exploit the data they captured… used Axios to capture session tokens or MFA codes through sophisticated phishing workflows.”
[T1476] Download from Cloud Storage Object – Attackers used Firebase-hosted apps and short-lived hosted links to host phishing content, noted as “Firebase-hosted apps that ride on Google’s trusted reputation to bypass defenses.”
[T1190] Exploit Public-Facing Application – Axios automated API interactions and exploited SAS token workflows in Azure: “Axios requests leveraged the Shared Access Signature (SAS:BeginAuth) mechanism to manipulate or hijack tokens…”
[T1071] Application Layer Protocol – Abuse of Direct Send to deliver phishing emails via trusted Microsoft delivery channels is described: “Direct Send is a Microsoft feature… phishing emails sent via Direct Send can bypass these defenses.”

Indicators of Compromise

[IP Address] Direct Send/attacker infrastructure – 185.168.208[.]63, 185.168.208[.]61 (and other addresses in 185.168.208[.]0/24 observed)
[IP Address] Additional infrastructure – 178.130.47[.]216 (context: observed in campaign infrastructure)
[Domain] Phishing redirect/landing domains – ywnlzl.dwqewi[.]es, ooox.hrcbods[.]es (used as short deceptive .es domains redirecting to fake Outlook login portals)
[Domain] Additional disposable phishing domains – cpewyx[.]es, ogyhr[.]es (and bsfff[.]es observed)