Hackers have increasingly been using HTTP client tools to orchestrate sophisticated account takeover attacks on Microsoft 365 environments.
A staggering 78% of Microsoft 365 tenants have been targeted at least once by such attacks, highlighting the evolving tactics of threat actors.
HTTP client tools are software applications or libraries that enable users to send HTTP requests and receive responses from web servers.
These tools allow for customization of request methods (e.g., GET, POST, PUT, DELETE), headers, and payloads, making them versatile for both legitimate and malicious purposes.
In February 2018, Proofpoint researchers identified a widespread campaign using an uncommon OkHttp client version (‘okhttp/3.2.0’) to target Microsoft 365 environments.
Researchers at Proofpoint noted that this campaign, which lasted nearly four years, focused on high-value targets such as C-level executives and privileged users.
The attackers leveraged user enumeration methods to identify valid email addresses before executing other threat vectors like spear phishing and password spraying.
Since 2018, HTTP clients have remained a staple in account takeover (ATO) attacks. Early 2024 saw OkHttp variants dominate, but by March 2024, a broader range of HTTP clients gained traction.
Notably, a recent campaign using the Axios HTTP client achieved a high success rate, compromising 43% of targeted user accounts. Axios, when paired with Adversary-in-the-Middle (AiTM) platforms like Evilginx, enables credential, MFA token, and session token theft.
Attack Chain
Email-borne phishing threats enable credential theft by leveraging reverse proxy toolkits that can steal MFA tokens, which in turn facilitates account takeover through the use of stolen credentials with tools like Axios to target mailbox rules, exfiltrate data, and create OAuth applications.
Once access is gained, sensitive data is stolen, access permissions are modified, and secure sharing links are created for future unauthorized access.
In addition to Axios, threat actors have diversified their approach by employing other HTTP clients.
For example, Node Fetch, which simplifies the transition from native HTTP to the Fetch API in Node.js, has been used to automate attacks on a large scale, logging over 13 million login attempts with an average of 66,000 malicious attempts daily despite its lack of Axios-like interception capabilities.
.webp)
Similarly, in August 2024, Proofpoint observed that attackers began using Go Resty—a Go HTTP/REST client—in brute force attacks, a trend that, although it ceased by October, highlighted the evolving nature of the tools used by threat actors.
To improve detection and overall security, it is recommended to monitor user agents by combining observed data with additional indicators and threat intelligence for more accurate detections.
Additionally, enhancing security through the implementation of multi-factor authentication (MFA) for all users is crucial, and regularly updating all software, including HTTP clients, helps ensure that systems remain protected against the latest vulnerabilities.
Indicators of Compromise
Key HTTP client versions used in these attacks include:-
- OkHttp: Versions like okhttp/3.14.7, okhttp/3.14.9, okhttp/4.11.0, and okhttp/4.12.0.
- Python Requests: Versions such as python-requests/2.27.1 to python-requests/2.32.3.
- Axios: Versions like axios/0.21.1, axios/0.21.4, axios/1.4.0, and axios/1.7.5.
- Node Fetch: Used for password spraying attacks.
- Go Resty: Version go-resty/2.14.0.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free