Summary: Cybercriminals are increasingly utilizing legitimate HTTP clients like Axios and Node Fetch to execute account takeover (ATO) attacks on Microsoft 365 environments, demonstrating a worrying trend in the evolving tactics of threat actors. Proofpoint reports significant increases in such attacks, with a wide range of HTTP clients targeting organizations, especially in finance, IT, and education sectors. These sophisticated methods allow for efficient exploitation of vulnerabilities, indicating a shift toward more advanced techniques in the ATO landscape.
Affected: Microsoft 365 environments, various organizations across transportation, construction, finance, IT, healthcare, and education sectors
Keypoints :
- Cybercriminals are leveraging legitimate HTTP client tools, such as Axios and Node Fetch, to conduct ATO attacks.
- In the first half of 2024, 78% of Microsoft 365 tenants faced at least one ATO attempt, with attacks peaking in May 2024.
- Over 51% of targeted organizations reported successful impacts, primarily among high-value personnel and education sector accounts.
- A password spraying campaign recorded over 13 million login attempts since June 2024, with a success rate of only 2%.
- Threat actors are adapting their techniques continuously, suggesting an ongoing evolution in strategies to enhance attack effectiveness.
Source: https://thehackernews.com/2025/02/cybercriminals-use-axios-and-node-fetch.html