In a concerning trend, cybercriminals are exploiting HTTP client tools to execute large-scale account takeover (ATO) attacks on Microsoft 365 accounts. These tools, initially designed for legitimate purposes, are now being weaponized to bypass security measures, posing a significant threat to organizations worldwide.
Key Takeaways
Cybercriminals are using HTTP client tools like Axios and Node Fetch for account takeover attacks.
Axios has a 38% success rate in bypassing multifactor authentication (MFA).
Node Fetch is primarily used for brute force attacks, with over 13 million login attempts documented.
Organizations are urged to enhance their security measures to combat these evolving threats.
The Rise of HTTP Client Exploitation
Recent reports indicate a surge in cybercriminal activities utilizing HTTP client tools, particularly Axios and Node Fetch. These tools allow attackers to automate and streamline their efforts, making it easier to target Microsoft 365 accounts.
Axios: A Tool for Account Takeover
Axios, a popular HTTP client for Node.js and browsers, has been identified as a key player in these attacks. By integrating Axios with reverse proxy platforms like Evilginx, attackers can effectively bypass MFA, leading to successful account takeovers.
Success Rate: The average success rate for these attacks is approximately 38%.
Attack Methodology: The attacks often begin with phishing emails aimed at stealing user credentials and MFA tokens. Once attackers gain access, they can manipulate mailbox rules, exfiltrate sensitive data, and create malicious OAuth applications for persistent access.
Node Fetch: The Brute Force Approach
In addition to Axios, cybercriminals are leveraging Node Fetch for brute force attacks. This HTTP library is particularly effective for password spraying due to its simplicity and automation capabilities.
Attack Volume: Between June and December 2024, over 13 million login attempts were recorded using Node Fetch, averaging 66,000 unauthorized attempts daily.
Targeted Sectors: Attackers often focus on educational institutions, exploiting less-secured accounts to facilitate spam campaigns or sell stolen credentials.
Success Rate: Despite the high volume of attacks, Node Fetch campaigns have a lower success rate, impacting only 2% of targeted organizations.
Evolving Threat Landscape
The use of HTTP client tools like Axios and Node Fetch marks a significant shift in the tactics employed by cybercriminals. These tools enable attackers to intercept, transform, and automate HTTP traffic, allowing them to bypass traditional security measures effectively.
Recent Trends: The report also highlights a brief use of Go Resty, a Go-based HTTP client, indicating that attackers are continuously adapting their methods.
Recommendations for Organizations
To combat these emerging threats, organizations are advised to implement robust security measures, including:
Enhanced Detection Mechanisms: Monitor for unusual activity related to HTTP client tools.
Strengthened MFA Configurations: Ensure that MFA is configured to resist Adversary-in-the-Middle (AiTM) techniques.
Regular Security Audits: Conduct frequent assessments of security protocols to identify vulnerabilities.
As cybercriminals refine their strategies, proactive measures and updated threat intelligence are essential for mitigating the risks associated with these evolving attacks. The growing reliance on repurposed HTTP clients underscores the need for heightened vigilance and investment in cybersecurity solutions to protect against account takeover strategies.
Sources
One moment, please..., CybersecurityNews.
Cybercriminals Exploiting HTTP Client Tools to Hijack Microsoft 365 Accounts, GBHackers News.