Cybercriminals are increasingly leveraging legitimate HTTP client tools to facilitate account takeover (ATO) attacks on Microsoft 365 environments. Enterprise security company Proofpoint said it observed campaigns using HTTP clients Axios and Node Fetch to send HTTP requests and receive HTTP responses from web servers with the goal of conducting ATO attacks. "Originally sourced from public repositories like GitHub, these tools are increasingly used in attacks like Adversary-in-the-Middle (AitM) and brute force techniques, leading to numerous account takeover (ATO) incidents," security researcher Anna Akselevich said. The use of HTTP client tools for brute-force attacks has been a long-observed trend since at least February 2018, with successive iterations employing variants of OkHttp clients to target Microsoft 365 environments at least until early 2024. But by March 2024, Proofpoint said it began to observe a wide range of HTTP clients gaining traction, with the attacks scaling a new high such that 78% of Microsoft 365 tenants were targeted at least once by an ATO attempt by the second half of last year. "In May 2024, these attacks peaked, leveraging millions of hijacked residential IPs to target cloud accounts," Akselevich said. The volume and diversity of these attack attempts is evidenced by the emergence of HTTP clients such as Axios, Go Resty, Node Fetch, and Python Requests, with those combining precision targeting with AitM techniques achieving a higher compromise…Read More