In recent times, there has been a concerning trend in cybercriminals using legitimate HTTP client tools to carry out account takeover attacks on Microsoft 365 environments. According to the latest findings from Proofpoint, a staggering 78% of Microsoft 365 tenants have experienced at least one account takeover attempt in 2024 utilizing a unique HTTP client. This marks a significant 7% increase in attacks compared to the previous six months, indicating a growing threat in this area.
Researchers at Proofpoint have noted a disturbing pattern of attackers repurposing commonly available HTTP client tools for nefarious purposes. Originally intended for web development and automation, these tools are now being exploited for brute-force attacks and adversary-in-the-middle (AiTM) techniques. This evolution in attack methods has been observed over the years, with attackers continuously adapting their tactics to bypass security measures.
A notable example of this trend is the use of the Axios HTTP client, which has shown remarkable success in bypassing multi-factor authentication (MFA) through AiTM techniques. These attacks have a success rate of 43%, significantly higher than traditional brute-force methods. The attackers follow a series of steps including credential theft through email phishing and reverse proxy tools, account takeover using stolen credentials and MFA tokens, and post-compromise actions like modifying mailbox rules, data exfiltration, and setting up OAuth applications for persistent access.
Another concerning campaign involves the Node Fetch client being used for large-scale brute-force password spraying attacks. Since June 2024, this method has seen over 13 million login attempts, averaging 66,000 per day. Although the success rate is relatively low at just 2%, the sheer scale of the attacks is cause for alarm. Educational institutions have been particularly targeted, with over 3000 organizations and 178,000 user accounts being impacted since mid-2024.
In August 2024, researchers at Proofpoint noticed a shift towards Go Resty, a Go-based HTTP client, indicating a continuous adaptation by cybercriminals. While this method had limited success and was discontinued by October, it highlights the ever-evolving nature of cyber threats and the need for organizations to stay vigilant.
As HTTP clients offer a level of automation and flexibility, it is expected that attackers will continue to refine their tactics to maximize their impact and avoid detection. Organizations are urged to enhance their monitoring of HTTP client activity and implement stronger authentication mechanisms to safeguard against these emerging threats. By staying proactive and investing in robust cybersecurity measures, businesses can better protect their sensitive data and prevent unauthorized access to their systems.