- Explaining DeepSeek: The AI Disruptor That’s Raising Red Flags for Privacy and Security | McAfee Blog
- Revolutionizing data management: Trends driving security, scalability, and governance in 2025
- Microsoft AI investments cause cloud operating income growth to plunge
- This is the SSD enclosure I trust to keep my storage drive safe and cool when traveling
- Have a .gov email address? You can get Perplexity Pro free for a year - here's now
Attackers Increase Use of HTTP Clients for Account Takeovers
Cybercriminals have been observed increasingly leveraging legitimate HTTP client tools to execute account takeover (ATO) attacks on Microsoft 365 environments.
Recent findings from Proofpoint reveal that 78% of Microsoft 365 tenants faced at least one ATO attempt in 2024 utilizing a distinct HTTP client. This marks a 7% rise in such attacks compared to the previous six months.
Evolution of HTTP-Based Attacks
Proofpoint researchers have observed a long-term trend of attackers repurposing widely available HTTP client tools to execute malicious activities. These tools, originally designed for web development and automation, are now being used for brute-force attacks and adversary-in-the-middle (AiTM) techniques.
In 2018, attackers used an uncommon OkHttp client version (okhttp/3.2.0) in a sustained campaign lasting nearly four years. By 2021, this method peaked at tens of thousands of monthly attacks before declining. Since early 2024, newer HTTP clients, such as python-request and Axios, have become more prominent.
Read more on HTTP-based security threats: HTTP/S DDoS Attacks Soar 487% in Three Years
Axios HTTP Client High Success Rates
One of the most effective recent attack methods involves the Axios HTTP client, which integrates AiTM techniques to bypass multi-factor authentication (MFA). Axios-based attacks have a success rate of 43% – significantly higher than traditional brute-force attempts.
Key attack steps include:
- Credential theft via email phishing and reverse proxy tools
- Account takeover using stolen credentials and MFA tokens
- Post-compromise actions such as modifying mailbox rules, exfiltrating data and registering OAuth applications for persistent access
Node Fetch and Large-Scale Brute-Force Attacks
Another campaign employs the Node Fetch client to conduct brute-force password spraying attacks. Since June 2024, this method has generated over 13 million login attempts, averaging 66,000 a day. Despite its scale, the success rate remains low at just 2%.
Attackers primarily target student accounts in the education sector, exploiting their relatively weaker security. Over 3000 organizations and 178,000 user accounts have been targeted since mid-2024.
Emerging Trends and Future Threats
In August 2024, Proofpoint researchers detected a shift towards Go Resty, a Go-based HTTP client. While this method saw limited success and ceased by October, it indicates ongoing adaptation by cybercriminals.
With HTTP clients offering automation and flexibility, attackers will likely continue evolving their tactics to maximize effectiveness and evade detection. Organizations are advised to enhance monitoring of HTTP client activity and employ stronger authentication mechanisms to mitigate these threats.
