Microsoft 365 remains one of the most widely used productivity suites in the enterprise world, but its popularity also makes it a prime target for cybercriminals. Among the latest threats, HTTP client attacks have emerged as a sophisticated method for bypassing security measures, including multi-factor authentication (MFA). These attacks exploit legitimate HTTP client tools to gain unauthorized access, making them particularly dangerous for businesses relying on Microsoft 365.

Understanding HTTP Client Attacks

HTTP client attacks involve cybercriminals using tools like cURL, Postman, or custom scripts to mimic legitimate API requests to Microsoft 365 services. Unlike traditional phishing attacks, these methods often bypass MFA by leveraging stolen session tokens or exploiting misconfigured OAuth applications. Attackers typically gain initial access through:

  • Phishing emails that trick users into revealing credentials
  • Malware infections that harvest session cookies
  • OAuth app consent phishing, where users unknowingly grant permissions to malicious apps

Once inside, attackers use HTTP clients to interact with Microsoft 365 APIs, exfiltrating data or moving laterally within the network.

Why HTTP Client Attacks Are Effective

  1. Bypassing MFA: Since these attacks often use stolen session tokens, MFA becomes ineffective once the token is compromised.
  2. Blending In: HTTP requests from tools like cURL appear as legitimate traffic, making detection difficult.
  3. API Abuse: Microsoft 365’s extensive API ecosystem provides multiple entry points for attackers.

How to Defend Against HTTP Client Attacks

1. Strengthen Conditional Access Policies

Microsoft’s Conditional Access (CA) policies can help mitigate risks by:

  • Enforcing device compliance checks
  • Restricting access from unfamiliar locations
  • Requiring managed devices for sensitive data access

2. Monitor and Restrict OAuth Applications

  • Audit third-party apps with excessive permissions
  • Disable legacy authentication protocols (e.g., IMAP, SMTP)
  • Use Microsoft Defender for Office 365 to detect suspicious app behavior

3. Implement Advanced Threat Protection

  • Enable Unified Audit Log (UAL) to track API requests
  • Deploy Microsoft Defender for Identity to detect token theft
  • Use Azure AD Identity Protection for risk-based sign-in policies

4. Educate Users on Phishing Risks

  • Train employees to recognize OAuth consent phishing
  • Encourage reporting of suspicious emails
  • Simulate phishing attacks to test awareness

Microsoft’s Ongoing Security Enhancements

Microsoft has introduced several features to combat HTTP client attacks, including:

  • Continuous Access Evaluation (CAE): Revokes sessions in real-time if risks are detected
  • Token Binding: Prevents stolen tokens from being used on unauthorized devices
  • Tenant Restrictions: Limits which apps can access corporate data

Conclusion

HTTP client attacks represent a growing threat to Microsoft 365 environments, exploiting legitimate tools to bypass security controls. By implementing Conditional Access, monitoring OAuth apps, and leveraging advanced threat protection, organizations can significantly reduce their risk. Staying informed and proactive is key to defending against these evolving cyber threats.