Introduction

Recent research from cybersecurity firm Proofpoint has revealed a startling vulnerability in Microsoft's ecosystem: approximately 78% of Microsoft 365 users have been targeted by account takeover (ATO) attempts. This massive scale of attacks underscores the increasing sophistication and persistence of cyber adversaries aiming to access sensitive organizational and personal data.

Background and Context

Microsoft 365 is one of the most widely used productivity suites globally, central to enterprise communications, data storage, and collaboration. However, its popularity also makes it an attractive target for cybercriminals. Account takeover attacks — where attackers gain unauthorized access to user accounts — expose millions to data breaches, ransomware, and internal network compromises.

Traditionally, brute force and credential stuffing attacks relied on simple automated attempts to guess passwords. However, Proofpoint's research reveals a new trend: attackers weaponizing legitimate HTTP client tools, such as Axios, Node Fetch, and Go Resty, to orchestrate highly effective brute force and password spraying campaigns against Microsoft 365 accounts.

Technical Analysis: Weaponization of HTTP Client Tools

  • Axios: A promise-based HTTP client popular among developers due to its flexibility. Attackers exploit Axios’s ability to intercept and modify traffic, making it a powerful tool to bypass multi-factor authentication (MFA) protections when combined with adversary-in-the-middle platforms like Evilginx.
  • Node Fetch: Used extensively in high-volume brute force attempts, some campaigns generate up to 66,000 login attempts daily in targeted sectors.
  • Go Resty: An emerging tool linked to Node Fetch operations, briefly used in 2024 before fading but highlighting evolving adversarial tactics.

These attackers conduct distributed, high-velocity attack campaigns focusing on high-value targets such as executives and finance officers, predominantly during standard business hours. The success rates are alarmingly high—with Axios-based campaigns achieving about a 43% success rate in breaching accounts, despite MFA protections.

Implications and Impact

The findings raise serious concerns about the effectiveness of current security protocols, especially for enterprises relying on Microsoft 365:

  • Data Breaches: Unauthorized account access risks intellectual property theft, exposure of sensitive communications, and data exfiltration.
  • Operational Disruptions: Compromised accounts can serve as gateways for lateral movement within corporate networks, causing widespread compromise.
  • MFA Bypass: The campaigns reveal potential weaknesses in MFA configurations, especially when combined with sophisticated attack vectors leveraging HTTP clients and adversary-in-the-middle techniques.
  • Need for Proactive Defense: Organizations must reconsider their defense-in-depth strategies, focusing on vigilant monitoring, continuous security training, and advanced detection mechanisms.
  1. Implement and Audit Multi-Factor Authentication (MFA): While MFA remains critical, organizations should continuously verify its proper deployment and complement it with additional layers, such as conditional access policies.
  2. Monitor Authentication Logs: Look for anomalies including volume spikes, unusual IP addresses, and suspicious authentication protocols indicating use of device code authentication or HTTP clients.
  3. Limit Use of Device Code Authentication: Attackers exploit this feature through socially engineered phishing campaigns. Conditional access policies can restrict or prohibit its use where feasible.
  4. Educate End Users: Continuous security awareness training is vital, especially to recognize phishing and social engineering tactics used to harvest credentials or device codes.
  5. Use Advanced Threat Protection: Deploy solutions capable of detecting adversary-in-the-middle attacks, brute force attempts, and abnormal client behaviors associated with Axios or similar tools.

Conclusion

This recent research highlights that 78% of Microsoft 365 users have faced account takeover attempts leveraging sophisticated, emerging attack techniques that exploit legitimate HTTP client tools. The threat landscape continues to evolve rapidly, necessitating a comprehensive, agile, and multi-layered defense approach. Microsoft 365 users and administrators must remain vigilant, adopt robust security postures, and keep abreast of threat intelligence to safeguard valuable digital assets.