Hackers Innovate To Attack Microsoft 365 Accounts

Uploaded on 2025-02-11 in FREE TO VIEW

Recent research warns that Microsoft 365 accounts are being targeted by hackers using a high-speed brute force password attack methodology. Microsoft 365 is seeing a spike in users being caught out by a new type of email phishing attack.

Increasingly Hackers have been using Hypertext Transfer Protocol (HTTP) client tools for sophisticated account takeover attacks on Microsoft 365 environments. The attack begins with a user being sent a perfectly innocent looking email containing a link. 

Clicking the link allows hackers to gains access to their M365 account and data.

HTTP is the foundation of the World Wide Web, and is used to load webpages using hypertext links. HTTP is an application layer protocol designed to transfer information between networked devices and runs on top of other layers of the network protocol stack. 

Over 80% of Microsoft 365 users have been targeted at least once by such attacks, highlighting the evolving tactics of threat actors.

HTTP client tools are software applications or libraries that enable users to send HTTP requests and receive responses from web servers. These tools allow for customisation of request methods (e.g., GET, POST, PUT, DELETE), headers, and payloads, making them versatile for both legitimate and malicious purposes.

In 2018, Proofpoint researchers identified a widespread campaign using an uncommon OkHttp client version (‘okhttp/3.2.0’) to target Microsoft 365 environments. They found that this campaign, which has lasted for nearly four years, focused on high-value targets such as C-level executives and privileged users.

The attackers operated a user enumeration method to identify valid email addresses before executing other threat vectors like spear phishing and password spraying.

Since 2018, HTTP clients have remained a staple in account takeover (ATO) attacks, but by March 2024, a broader range of HTTP clients have appeared. A recent campaign using the Axios HTTP client achieved sucessfully compromised over 40% of targeted user accounts.

Axios, when paired with Adversary-in-the-Middle (AiTM) platforms like Evilginx, enables credential, MFA token, and session token theft. Email-borne phishing threats enable credential theft by leveraging reverse proxy toolkits that can steal MFA tokens, which in turn enable account takeover through the use of stolen credentials with tools like Axios to target mailbox rules, exfiltrate data, and create OAuth applications. Once access is gained, sensitive data is stolen, access permissions are modified, and secure sharing links are created for future unauthorised access.

In addition to Axios, threat actors have diversified their approach by employing other HTTP clients. 

  • Node Fetch, which simplifies the transition from native HTTP to the Fetch API in Node.js, has been used to automate attacks on a large scale, logging over 13 million login attempts with an average of 66,000 malicious attempts daily despite its lack of Axios-like interception capabilities.
  • In August 2024, Proofpoint observed that attackers began using Go Resty in attacks, a trend that, although it ceased by October, highlighted the evolving nature of the tools used by threat actors.

To strengthen security measures, it is recommended to monitor user agents by combining observed data with additional indicators and threat intelligence for more focused detections.

Proofpoint  |    Cloudflare     |   Microsoft     |    Cybersecurity News   |    Forbes     |    Computer Link    | 

Rubrik

Image: surface

You Might Also Read: 

Microsoft Exchange Exploited By ‘Cuba’

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Australia Bans DeepSeek In Government Networks
Managing Dark Web Exposure In 2025 »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Pondurance

Pondurance

Pondurance is an IT Security and Compliance company providing services in Cyber Security, Continuity, Compliance and Threat Management.

Silent Breach

Silent Breach

Silent Breach specializes in network security and digital asset protection. Services include Pentesting, Security Assessments, Incident Detection & Response, Governance Risk & Compliance.

Institute for Cyber Security Innovation - Royal Holloway

Institute for Cyber Security Innovation - Royal Holloway

The Institute for Cyber Security Innovation aims to bring together Academia, Industry and Government to be a catalyst for applied research and innovation in cyber security policy and solutions.

Bottomline Technologies

Bottomline Technologies

Bottomline Technologies is an innovator in business payment automation technology, helping companies make complex business payments simple, smart and secure.

Centro de Gestion de Incidentes Informaticos (CGII)

Centro de Gestion de Incidentes Informaticos (CGII)

CGII is the Computer Incident Management Center of the State of Bolivia.

Vesta

Vesta

Vesta Corporation is a global provider of a scalable suite of fraud and payment solutions for online commerce.

NGS (UK)

NGS (UK)

NGS (UK) Ltd are independent, vendor agnostic, next generation security trusted advisors, providing all-encompassing solutions from the perimeter to the endpoint.

Forgepoint Capital

Forgepoint Capital

ForgePoint Capital is a premier venture investor for early stage cybersecurity companies.

Get Indemnity

Get Indemnity

Get Indemnity are specialist insurance brokers with experience working on a wide range of innovative business insurance products that combine risk management, indemnity and incident response services.

Internet 2.0

Internet 2.0

Internet 2.0 is a Cyber Security technology company with a core focus on developing affordable but sophisticated cyber security solutions.

Drata

Drata

Drata is a security and compliance automation platform that continuously monitors and collects evidence of a company's security controls, while streamlining workflows to ensure audit-readiness.

Timus Networks

Timus Networks

Timus Networks enables today's work from anywhere organizations to secure their networks very easily and cost effectively.

Protectt.ai Labs

Protectt.ai Labs

Protectt.ai Labs is India’s first mobile security start up building awareness & providing solutions for mobile app, device & transaction security.

GISEC Global

GISEC Global

GISEC Global provides vendors and companies from around the world with access to lucrative opportunity to capitalize on what's set to become one of the world's booming markets.

Digital Security Authority (DSA)

Digital Security Authority (DSA)

The establishment of the Digital Security Authority, which incorporates the National CSIRT, is crucial to significantly raising the cybersecurity posture and capabilities of Cyprus.

True North Solutions

True North Solutions

True North Solutions provides a wide range of fully customized, vendor-neutral industrial engineering and OT automation solutions to companies across North America and around the world.