Cybercriminals Leverage HTTP Client Tools For Microsoft 365 Account Takeovers

Cybercriminals are increasingly exploiting legitimate HTTP client tools to conduct account takeover (ATO) attacks against Microsoft 365 environments. These attacks, which use widely available tools originally intended for web development, highlight a growing trend of cyber adversaries adapting and evolving their attack methods to compromise cloud-based accounts.

Rise of HTTP Client Tools in Cyber Attacks

According to cybersecurity firm Proofpoint, attackers are utilizing HTTP client libraries like Axios and Node Fetch to send and receive HTTP requests from web servers, thereby facilitating ATO attempts.

"Originally sourced from public repositories like GitHub, these tools are increasingly used in attacks like Adversary-in-the-Middle (AitM) and brute-force techniques, leading to numerous account takeover (ATO) incidents," said security researcher Anna Akselevich.

This marks a significant shift in attack strategies, as cybercriminals leverage web development tools for malicious purposes.

A Long-Standing Trend with New Tactics

Brute-force attacks using HTTP clients have been observed since at least February 2018, initially employing OkHttp clients. However, between early and mid-2024, Proofpoint observed a wider range of HTTP clients being used, marking a substantial rise in the scale and frequency of ATO attempts.

By March 2024, HTTP client-based attacks had reached new heights, with 78% of Microsoft 365 tenants targeted at least once. The peak of these attacks occurred in May 2024, when cybercriminals leveraged millions of hijacked residential IP addresses to bypass traditional security measures and attempt large-scale cloud account compromises.

Key Tools and Their Role in ATO Attacks

Among the most frequently used HTTP clients in these attacks are:

• Axios – A widely-used tool for Node.js and browsers, which can be combined with Adversary-in-the-Middle (AitM) platforms like Evilginx to intercept and steal login credentials, including multi-factor authentication (MFA) codes.

• Go Resty – An HTTP client for Go-based applications, often seen in large-scale password spraying campaigns.

• Node Fetch – Frequently used alongside Go Resty in automated attacks against Microsoft 365 users.

• Python Requests – A commonly used HTTP library that allows attackers to send customized login attempts and exploit API vulnerabilities.

Proofpoint found that attackers combining precision targeting with AitM techniques achieved a higher success rate, particularly in executive and financial sectors.

High-Value Targets and Impact

Cybercriminals leveraging Axios have primarily focused on high-value individuals such as:

• Executives and C-suite personnel

• Financial officers

• Account managers

• Operational staff in critical industries (transportation, finance, IT, healthcare, and construction)

Between June and November 2024, these attacks successfully compromised 43% of targeted accounts, impacting 51% of targeted organizations.

Additionally, attackers have been observed setting up new mailbox rules to hide malicious activities, steal sensitive data, and even register new OAuth applications with excessive permission scopes—allowing for persistent remote access to compromised accounts.

Large-Scale Password Spraying Campaigns

Proofpoint also detected a massive password spraying campaign utilizing Node Fetch and Go Resty clients. This campaign involved:

• 13 million login attempts recorded since June 9, 2024

• An average of 66,000 malicious attempts per day

• A success rate of 2%, affecting 3,000 organizations and 178,000 targeted user accounts

A significant portion of these attacks targeted educational institutions, particularly student accounts, which are often less protected and can be weaponized for further campaigns or sold to other cybercriminal groups.

Evolving Attack Strategies and Future Threats

"Threat actors' tools for ATO attacks have greatly evolved, with various HTTP client tools used for exploiting APIs and making HTTP requests," Akselevich warned.

Attackers continue to refine their techniques by:

• Switching between different HTTP client tools to evade detection

• Adapting attack methods based on new security measures

• Exploiting emerging web technologies to improve efficiency and effectiveness

Given this trend, security experts predict that HTTP client-based brute-force and AitM attacks will persist, posing an ongoing threat to cloud-based platforms like Microsoft 365.

Mitigation Strategies and Best Practices

To protect against these evolving threats, organizations should:

• Monitor for unusual API traffic from HTTP client tools like Axios, Node Fetch, and Go Resty.

• Implement robust multi-factor authentication (MFA) to reduce the risk of credential theft.

• Limit access to API endpoints and authentication services to trusted IP ranges.

• Regularly audit OAuth applications and mailbox rules for signs of unauthorized access.

• Deploy behavioral analytics and anomaly detection to spot suspicious login attempts.

By staying proactive and implementing strong security measures, enterprises can mitigate the risk of ATO attacks and ensure better protection for their Microsoft 365 environments.