Full Report
HTTP client tools used to compromise Microsoft 365 environments with 78% of tenants targeted in 2024
Analysis Summary
# Tool/Technique: Repurposed HTTP Clients (Axios, python-request, Node Fetch, Go Resty)
## Overview
Cybercriminals are increasingly leveraging legitimate, widely available HTTP client libraries and tools, originally designed for web development and automation, to execute large-scale account takeover (ATO) attacks against services like Microsoft 365. This trend allows attackers to blend malicious automation traffic with legitimate network communication, increasing evasion.
## Technical Details
- Type: Tool/Technique (Repurposed legitimate software libraries)
- Platform: Not explicitly stated, but the target systems are cloud services (Microsoft 365), implying the attack tooling runs on attacker infrastructure targeting web interfaces.
- Capabilities: Execution of brute-force, password spraying, and Adversary-in-the-Middle (AiTM) relay attacks to steal credentials and Multi-Factor Authentication (MFA) tokens.
- First Seen: Trend noted over several years, with specific clients gaining prominence in 2024 (e.g., Axios, python-request).
## MITRE ATT&CK Mapping
Since the core activity is focused on credential abuse and network traffic generation using common libraries for compromise:
- **TA0006 - Credential Access**
- T1110 - Brute Force
- T1110.003 - Password Spraying
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (implied via phishing leading to credential theft)
- T1550 - Use Alternate Authentication Material
- T1550.003 - Web Session Cookie (Used in AiTM context)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Use of HTTP/S for communication/session hijacking)
## Functionality
### Core Capabilities
- **Credential Theft:** Used in conjunction with phishing (often assisted by reverse proxy tools) to capture credentials.
- **Brute-Force/Password Spraying:** Used by tools like Node Fetch to rapidly attempt numerous logins against user accounts (e.g., over 13 million attempts observed using Node Fetch since June 2024).
- **MFA Bypass (AiTM):** Axios leveraged with AiTM techniques allows attackers to relay valid authentication sessions, including bypassing MFA checks by capturing session tokens.
### Advanced Features
- **AiTM Integration (Axios):** Successfully integrates Adversary-in-the-Middle techniques to maintain session fidelity and steal active sessions, leading to high success rates (43% reported for Axios-based attacks).
- **Post-Compromise Persistence:** Once access is gained, attackers use the capabilities to configure mailbox rules, exfiltrate data, and register OAuth applications for sustained access.
- **Historical Use:** Older clients like OkHttp (okhttp/3.2.0) were used extensively in sustained campaigns spanning nearly four years (starting around 2018).
## Indicators of Compromise
*Note: No specific file hashes, registry keys, or network indicators for the tooling itself were provided, only the names of the libraries being abused.*
- File Hashes: [Not provided]
- File Names: [Varies based on the attacker's script wrapping the client]
- Registry Keys: [Not provided]
- Network Indicators: [Attacks target Microsoft 365 authentication endpoints]
- Behavioral Indicators: High volume of atypical login attempts originating from automated processes masquerading as legitimate HTTP client traffic; rapid session authentication via AiTM relay methods.
## Associated Threat Actors
- [Not explicitly named, but patterns are observed by Proofpoint researchers indicating various financially or state-sponsored groups evolving their ATO strategies.]
## Detection Methods
- [Signature-based detection] Not effective against standard libraries unless modified binaries are used.
- [Behavioral detection] Focus should be on monitoring high-volume login failures (password spraying) or anomalous session establishment (AiTM traffic patterns).
- [YARA rules if available] [Not provided]
## Mitigation Strategies
- Enhance monitoring of HTTP client activity logs and traffic patterns.
- Employ strong authentication mechanisms, prioritizing phishing-resistant MFA methods over session-based MFA where possible, to counteract AiTM techniques.
- Harden security specifically for the education sector, which has been identified as a high-volume target for password spraying using Node Fetch.
## Related Tools/Techniques
- OkHttp client (older campaign)
- Tycoon 2FA Phishing Kit (mentioned in related articles, often used to facilitate the initial credential harvest)
- Greatness Phishing Tool (mentioned in related articles)