Cyber threats to Microsoft 365 via HTTP client tools surge

Proofpoint, a cybersecurity vendor, has released new findings indicating that 78% of Microsoft 365 tenants were targeted by account takeover attempts using distinct HTTP client tools.

HTTP client tools, which facilitate interactions with web servers, are being increasingly repurposed by attackers to execute Adversary-in-the-Middle (AitM) and brute force techniques, resulting in substantial account takeover incidents. Notably, a recent campaign using the Axios HTTP client achieved a high success rate, compromising 43% of targeted user accounts.

Early research by Proofpoint highlights a trend where threat actors leverage legitimate HTTP client tools emulating XMLHttpRequest and Node.js HTTP requests for attacks on Microsoft 365 environments. Originally sourced from public repositories like GitHub, these tools have evolved to serve malicious intents.

Historical data shows that in 2018, a significant campaign utilised an uncommon version of the OkHttp client to attack Microsoft 365 environments, centering on high-value targets. This campaign often employed stolen data from breaches such as the 2016 LinkedIn credentials leak. The methodology involved high-volume login attempts predominantly at non-existent accounts, signalling a tactical shift in late 2021.

Current trends as of early 2024 indicate the prevalence of a broader range of HTTP clients, including new integrations like 'python-request'. These have resulted in a notable 7% increase in account takeover attempts involving these tools compared to the previous period. A revelation from Proofpoint found that although many brute force attacks have low success, specific campaigns using the Axios client have successfully bypassed multifactor authentication (MFA).

The Axios client, a promise-based HTTP client for Node.js and browsers, supports various sophisticated operations such as credential theft and MFA token interception. This makes it particularly effective when used alongside platforms like Evilginx.

Proofpoint's findings show that the Axios-based campaign targeted roles with access to sensitive resources across industries including transportation, healthcare, and finance. The attacks used tactics like creating new mailbox rules to facilitate data exfiltration and exploiting OAuth applications for unauthorised persistent access, impacting over 51% of organisations and 43% of user accounts from June to November 2024.

Additionally, analysis identified a parallel campaign involving node-fetch, noted for its simplicity in automation for large-scale operations. Unlike Axios, node-fetch does not support interception but is efficient in orchestrating brute force attacks. Since June 2024, this campaign logged significant volumes of login attempts, though with a lower success rate affecting only 2% of targeted organisations.

Node-fetch attacks predominantly hit the education sector, where less-protected accounts offer fertile ground for spam campaigns or resale to other cybercriminals. Researchers tracked over 178,000 user accounts targeted across more than 3,000 organisations.

In August 2024, a shift was observed as the Go Resty client appeared in a new wave of attacks, sharing infrastructure with the node-fetch campaigns. While Go Resty showed potential advantages, like higher success rates, these attacks ceased by October 2024 while node-fetch-based operations continued.

Proofpoint cautions that the dynamic evolution of HTTP client tools in account takeover attacks is likely to persist, as threat actors continue to refine and alternate their tools and methods to improve efficiency and evade detection.