HTTP Client Tools Exploitation for Account Takeover Attacks

Jan. 30, 2025, 2:03 p.m.

Description

This analysis reveals a growing trend of attackers repurposing legitimate HTTP client tools to compromise Microsoft 365 environments. The report highlights two main attack campaigns: one using Axios client with a 43% success rate in compromising user accounts, and another using Node Fetch client for large-scale brute force attacks. The Axios campaign primarily targets executives and high-value users across various industries, while the Node Fetch campaign focuses on educational institutions. The analysis also notes a brief shift to Go Resty client before returning to Node Fetch. These evolving tactics demonstrate the adaptability of threat actors in exploiting HTTP clients for account takeover attacks.

External References

https://www.proofpoint.com/us/blog/threat-insight/http-client-tools-exploitation-account-takeover-attacks
https://otx.alienvault.com/pulse/679b76a86f319d4bf07bc296
Tags
adversary-in-the-middle
microsoft 365
account takeover
2025-01-30
brute force
node fetch
okhttp
axios
http client tools

Date

  • Created: Jan. 30, 2025, 12:55 p.m.
  • Published: Jan. 30, 2025, 12:55 p.m.
  • Modified: Jan. 30, 2025, 2:03 p.m.

Indicators

  • c.65a9b4549d87a.digital
  • nc.667af91ca5068.digital
  • www.https-65a916cbc80e5.org
  • https://www.https-65a916cbc80e5.org/auth
  • https://c.65a9b4549d87a.digital/auth
  • https://nc.667af91ca5068.digital/auth
Download all indicators here!

Attack Patterns

  • T1114.003
  • T1586
  • T1110
  • T1136
  • T1557
  • T1114
  • T1098
  • T1584
  • T1078

Additional Informations

  • Construction
  • Technology
  • Healthcare
  • Transportation
  • Education
  • Finance
  • Canada
  • United States of America
  • Russian Federation