Full Report
Cybercriminals are increasingly leveraging legitimate HTTP client tools to facilitate account takeover (ATO) attacks on Microsoft 365 environments. Enterprise security company Proofpoint said it observed campaigns using HTTP clients Axios and Node Fetch to send HTTP requests and receive HTTP responses from web servers with the goal of conducting ATO attacks. "Originally sourced from public
Analysis Summary
# Tool/Technique: Go Resty, Node Fetch, Axios, Python Requests (HTTP Clients for ATO)
## Overview
Legitimate HTTP client libraries such as Go Resty, Node Fetch, Axios, and Python Requests are being increasingly leveraged by cybercriminals to execute high-volume password spraying and Account Takeover (ATO) attempts against Microsoft 365 environments. These tools send HTTP requests and receive responses to automate the login process, often in conjunction with Adversary-in-the-Middle (AitM) platforms like Evilginx to bypass MFA.
## Technical Details
- Type: Attack Tool (Legitimate utility leveraged maliciously)
- Platform: Multi-platform (Depending on the specific library: Go ecosystem, Node.js/JavaScript, Python)
- Capabilities: Automating HTTP interactions for credential stuffing/spraying, supporting interactions with AitM infrastructure.
- First Seen: Use of HTTP clients for M365 targeting observed since at least Feb 2018 (with iterations using OkHttp clients); recent diversity including Axios, Go Resty, Node Fetch observed prominently starting around March 2024.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1110 - Brute Force
- T1110.003 - Password Guessing
- TA0006 - Credential Access
- T1555 - Credentials from Password Stores & Files (Implied context of credential theft leading to ATO)
- TA0011 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols (Used for C2 communication/login attempts)
## Functionality
### Core Capabilities
- **Password Spraying/Brute Force:** Used to rapidly test a large volume of credentials against Microsoft 365 login endpoints.
- **HTTP Request Automation:** Provides reliable methods for sending HTTP requests (POST/GET) and parsing responses generated during the authentication flow.
- **AitM Integration:** Axios is specifically noted as being paired with AitM platforms (like Evilginx) to successfully steal session tokens and MFA codes.
### Advanced Features
- **MFA Bypass:** When combined with AitM techniques, these clients facilitate the capture of stolen credentials and valid multi-factor authentication tokens.
- **Persistence Establishment:** Post-compromise, threat actors used attained access to set up new mailbox rules and register new OAuth applications with excessive permissions for persistent access.
## Indicators of Compromise
- File Hashes: Not specified in the article.
- File Names: Not specified, as these are standard libraries/tools being executed.
- Registry Keys: Not applicable/specified for the tool execution itself.
- Network Indicators: Targeting **Microsoft 365** login endpoints. Attacks heavily leveraged **hijacked residential IPs**.
- Behavioral Indicators: High volume of failed/successful login attempts originating from unusual residential IPs against M365 authentication endpoints. The creation of anomalous **mailbox rules** or **OAuth application registrations** post-compromise.
## Associated Threat Actors
- Unspecified cybercriminals/threat actors conducting ATO campaigns against Microsoft 365. (The campaigns are attributed based on findings by Proofpoint.)
## Detection Methods
- Signature-based detection: Difficult, as these are legitimate, open-source tools. Detection relies on recognizing patterns of abuse.
- Behavioral detection: Monitoring for high-rate, automated login attempts against M365 originating from large pools of previously unused or residential IPs. Detection of anomalous post-login activity, such as unauthorized creation of forwarding rules or new OAuth apps.
- YARA rules: Not specified.
## Mitigation Strategies
- Prevention: Implement robust Conditional Access policies in Azure AD/Microsoft 365.
- Hardening recommendations: Require strong MFA enforcement for all users, especially high-value targets (executives, financial officers). Monitor and alert on registration of new, unexpected OAuth applications. Review and restrict permissions granted to newly registered applications.
## Related Tools/Techniques
- OkHttp clients (Previous iterations of similar attacks, observed until early 2024).
- Evilginx (AitM framework often paired with these HTTP clients).
- Python Requests (Also mentioned as an emerging client used in these attacks).