"Threat actors are abusing HTTP client tools like Axios in conjunction with Microsoft's Direct Send feature to form a "highly efficient attack pipeline" in recent phishing campaigns, according to new findings from ReliaQuest. "Axios user agent activity surged 241% from June to August 2025, dwarfing the 85% growth of all other flagged user agents combined," the cybersecurity company said in a report shared with The Hacker News. "Out of 32 flagged user agents observed in this timeframe, Axios accounted for 24.44% of all activity.""
"The abuse of Axios was previously flagged by Proofpoint in January 2025, detailing campaigns utilizing HTTP clients to send HTTP requests and receive HTTP responses from web servers to conduct account takeover (ATO) attacks on Microsoft 365 environments. ReliaQuest told The Hacker News that there is no evidence to suggest these activities are related, adding that the tool is regularly exploited alongside popular phishing kits. "The usefulness of Axios means it is almost certainly being adopted by all types of threat actors regardless of sophistication levels or motivation," the company added."
Axios user-agent activity surged 241% from June to August 2025 and accounted for 24.44% of flagged user-agent activity during that period. Proofpoint previously flagged Axios abuse in January 2025 tied to HTTP-client-facilitated account takeover attacks against Microsoft 365. ReliaQuest found no evidence linking the observed campaigns to those earlier cases and noted Axios is commonly exploited alongside phishing kits. Attackers pair Axios with Microsoft 365 Direct Send to spoof trusted users, bypass secure gateways, and deliver malicious emails, achieving about a 70% success rate in observed campaigns. Initial targets included executives and managers in finance, health care, and manufacturing before expanding to all users.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]