Ethical Hacking News
A new phishing campaign has emerged, leveraging Axios abuse and Microsoft Direct Send to conduct highly efficient account takeover attacks on Microsoft 365 environments, with a reported success rate of 70%.
Axios, a popular HTTP client tool, has seen a 241% surge in use since June 2025, dwarfing other flagged user agents. The abuse of Axios is attributed to its efficiency in conducting account takeover (ATO) attacks on Microsoft 365 environments. Axios is being used with Direct Send to spoof trusted users and distribute email messages, achieving a 70% success rate in recent campaigns. The attack chain involves intercepting, modifying, and replaying HTTP requests to capture session tokens or MFA codes, bypassing security measures. Organizations are advised to secure Direct Send, configure anti-spoofing policies, train employees to recognize phishing emails, and block suspicious domains to mitigate the risk.
Axios, a popular HTTP client tool, has been found to be abused by threat actors in recent phishing campaigns. According to new findings from ReliaQuest, the use of Axios has surged 241% since June 2025, dwarfing the 85% growth of all other flagged user agents combined. This surge in activity is attributed to the high efficiency of Axios in conducting account takeover (ATO) attacks on Microsoft 365 environments.
The abuse of Axios was previously flagged by Proofpoint in January 2025, detailing campaigns utilizing HTTP clients to send HTTP requests and receive HTTP responses from web servers to conduct ATO attacks on Microsoft 365 environments. However, the recent findings suggest that the threat actors are now using a legitimate feature in Microsoft 365 called Direct Send to spoof trusted users and distribute email messages.
In amplifying Axios abuse through Microsoft Direct Send, the attack aims to weaponize a trusted delivery method to ensure that their messages slip past secure gateways and land in users' inboxes. Indeed, attacks that paired Axios with Direct Send have been found to achieve a 70% success rate in recent campaigns, surging past non-Axios campaigns with "unparalleled efficiency."
The campaign observed by ReliaQuest is said to have commenced in July 2025, initially singling out executives and managers in finance, health care, and manufacturing sectors, before expanding its focus to target all users. The attack chain involves the use of Axios to intercept, modify, and replay HTTP requests, thereby making it possible to capture session tokens or multi-factor authentication (MFA) codes in real-time or exploit SAS tokens in Azure authentication workflows to gain access to sensitive resources.
"Attackers use this blind spot to bypass MFA, hijack session tokens, and automate phishing workflows," ReliaQuest said. "The customizability offered by Axios lets attackers tailor their activity to further mimic legitimate workflows."
The email messages involve using compensation-themed lures to trick recipients into opening PDF documents containing malicious QR codes, which, when scanned, direct users to fake login pages mimicking Microsoft Outlook to facilitate credential theft. As an extra layer of defense evasion, some of these pages are hosted on Google Firebase infrastructure to capitalize on the reputation of the app development platform.
Besides lowering the technical barrier for sophisticated attacks, Axios's prevalence in enterprise and developer setups also means that it offers attackers a way to blend in with regular traffic and fly under the radar. To mitigate the risk posed by this threat, organizations are advised to secure Direct Send and disable it if not required, configure appropriate anti-spoofing policies on email gateways, train employees to recognize phishing emails, and block suspicious domains.
"Axios amplifies the impact of phishing campaigns by bridging the gap between initial access and full-scale exploitation. Its ability to manipulate authentication workflows and replay HTTP requests allows attackers to weaponize stolen credentials in ways that are both scalable and precise," ReliaQuest said.
This development comes as Mimecast detailed a large-scale credential harvesting campaign targeting hospitality industry professionals by impersonating trusted hotel management platforms Expedia Partner Central and Cloudbeds in emails that claim to be guest booking confirmations and partner central notifications. This credential harvesting operation leverages the routine nature of hotel booking communications, employing urgent, business-critical subject lines designed to prompt immediate action from hotel managers and staff.
The findings also follow the discovery of an ongoing campaign that has employed a nascent phishing-as-a-service (PhaaS) offering called Salty 2FA to steal Microsoft login credentials and sidestep MFA by simulating six different methods: SMS authentication, authenticator apps, phone calls, push notifications, backup codes, and hardware tokens.
The attack chain is notable for leveraging services like Aha[.]io to stage initial landing pages that masquerade as OneDrive sharing notifications to deceive email recipients and trick them into clicking on fake links that redirect to credential harvesting pages, but not before completing a Cloudflare Turnstile verification check to filter automated security tools and sandboxes.
These findings illustrate how phishing attacks have matured into enterprise-grade operations, utilizing advanced evasion tactics and convincing MFA simulations, while exploiting trusted platforms and mimicking corporate portals to make it harder to distinguish between real and fraudulent activity.
"The phishing kit implements dynamic branding functionality to enhance social engineering effectiveness," Ontinue said. "Technical analysis reveals the malicious infrastructure maintains a corporate theme database that automatically customizes fraudulent login interfaces based on victim email domains."
"Salty2FA demonstrates how cybercriminals now approach infrastructure with the same methodical planning that enterprises use for their own systems. What makes this particularly concerning is how these techniques blur the line between legitimate and malicious traffic," Ontinue added.
Related Information:
https://www.ethicalhackingnews.com/articles/Axios-Abuses-The-Rise-of-Highly-Efficient-Phishing-Campaigns-Leveraging-Microsoft-Direct-Send-ehn.shtml
https://thehackernews.com/2025/09/axios-abuse-and-salty-2fa-kits-fuel.html
Published: Tue Sep 9 10:03:59 2025 by llama3.2 3B Q4_K_M
