Hackers Innovate To Attack Microsoft 365 Accounts
Recent research warns that Microsoft 365 accounts are being targeted by hackers using a high-speed brute force password attack methodology. Microsoft 365 is seeing a spike in users being caught out by a new type of email phishing attack.
Increasingly, hackers have been using Hypertext Transfer Protocol (HTTP) client tools for sophisticated account takeover attacks on Microsoft 365 environments. The attack begins with a user being sent a perfectly innocent looking email containing a link.
Clicking the link allows hackers to gains access to their M365 account and data.
HTTP is the foundation of the World Wide Web, and is used to load webpages using hypertext links. HTTP is an application layer protocol designed to transfer information between networked devices and runs on top of other layers of the network protocol stack.
Over 80% of Microsoft 365 users have been targeted at least once by such attacks, highlighting the evolving tactics of threat actors.
HTTP client tools are software applications or libraries that enable users to send HTTP requests and receive responses from web servers. These tools allow for customisation of request methods (e.g., GET, POST, PUT, DELETE), headers, and payloads, making them versatile for both legitimate and malicious purposes.
In 2018, Proofpoint researchers identified a widespread campaign using an uncommon OkHttp client version (‘okhttp/3.2.0’) to target Microsoft 365 environments. They found that this campaign, which has lasted for nearly four years, focused on high-value targets such as C-level executives and privileged users.
The attackers operated a user enumeration method to identify valid email addresses before executing other threat vectors like spear phishing and password spraying.
Since 2018, HTTP clients have remained a staple in account takeover (ATO) attacks, but by March 2024, a broader range of HTTP clients have appeared. A recent campaign using the Axios HTTP client achieved sucessfully compromised over 40% of targeted user accounts.
Axios, when paired with Adversary-in-the-Middle (AiTM) platforms like Evilginx, enables credential, MFA token, and session token theft. Email-borne phishing threats enable credential theft by leveraging reverse proxy toolkits that can steal MFA tokens, which in turn enable account takeover through the use of stolen credentials with tools like Axios to target mailbox rules, exfiltrate data, and create OAuth applications. Once access is gained, sensitive data is stolen, access permissions are modified, and secure sharing links are created for future unauthorised access.
In addition to Axios, threat actors have diversified their approach by employing other HTTP clients.
- Node Fetch, which simplifies the transition from native HTTP to the Fetch API in Node.js, has been used to automate attacks on a large scale, logging over 13 million login attempts with an average of 66,000 malicious attempts daily despite its lack of Axios-like interception capabilities.
- In August 2024, Proofpoint observed that attackers began using Go Resty in attacks, a trend that, although it ceased by October, highlighted the evolving nature of the tools used by threat actors.
To strengthen security measures, it is recommended to monitor user agents by combining observed data with additional indicators and threat intelligence for more focused detections.
Proofpoint | Cloudflare | Microsoft | Cybersecurity News | Forbes | Computer Link |
Image: surface
You Might Also Read:
Microsoft Exchange Exploited By ‘Cuba’
If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible
