Hackers Used HTTP Client Tools to Hijack Microsoft 365 Accounts

In today’s increasingly digital landscape, cybersecurity has become a top priority for organizations around the globe. Among the myriad of threats facing businesses, account takeover (ATO) attacks are particularly concerning, especially when targeting widely used platforms like Microsoft 365. Recently, cybercriminals have refined their tactics by leveraging HTTP client tools—software applications and libraries that facilitate sending HTTP requests and receiving responses from web servers—to orchestrate these sophisticated attacks. In this comprehensive blog post, we will explore the methods employed by hackers, examine notable attack campaigns, and discuss robust strategies to help safeguard your Microsoft 365 environment.

The Rise of Account Takeover Attacks on Microsoft 365

Microsoft 365 is a critical tool for organizations hosting sensitive emails, documents, and communication channels. Unfortunately, its widespread adoption has also made it a lucrative target for threat actors. Recent studies indicate that ATO attacks target a staggering 78% of Microsoft 365 tenants at least once. This high percentage underscores not only the frequency but also the evolving sophistication of these attacks.

Account takeover attacks typically involve the unauthorized access and control of user accounts, enabling cybercriminals to steal sensitive information, escalate privileges, or use the compromised accounts as footholds for further malicious activities. The innovative use of HTTP client tools in these attacks has allowed hackers to mimic legitimate traffic while executing a wide range of operations with high levels of customization.

The Role of HTTP Client Tools in Cyber Attacks

HTTP client tools are integral components in both legitimate and malicious operations. They are designed to facilitate the interaction between a client and a web server, allowing users to send HTTP requests—such as GET, POST, PUT, and DELETE—and receive corresponding responses. These tools offer cybercriminals a versatile platform to craft custom requests that bypass traditional security mechanisms.

By manipulating request headers, methods, and payloads, attackers can impersonate legitimate users, probe for vulnerabilities, and automate large-scale attacks with minimal effort. The ability to fine-tune these parameters makes HTTP client tools an attractive option for orchestrating complex ATO attacks.

For example, a campaign observed in February 2018 by Proofpoint researchers revealed the use of an uncommon version of the OkHttp client (specifically, ‘okhttp/3.2.0’) to target Microsoft 365 environments. This discovery highlighted the ingenuity of threat actors and the need for continuous monitoring and updating of security practices in response to emerging attack vectors.

Historical Campaigns and Shifts in Tactics

Early Observations: The OkHttp Campaign

In 2018, cybersecurity researchers began noticing a series of account takeover attempts that targeted high-value users such as C-level executives and privileged personnel. The campaign utilized an uncommon variant of the OkHttp client, indicating that the attackers were technically adept and highly strategic in their approach. These early attacks relied heavily on user enumeration techniques to identify valid email addresses used in spear phishing and password-spraying attacks.

Evolution Through 2024: Diversification of HTTP Clients

Over time, the reliance on a single HTTP client diminished as threat actors diversified their toolkit. By early 2024, variants of OkHttp continued to be popular, but by March of that same year, a broader range of HTTP clients had emerged in the cybercriminal arsenal. One particularly noteworthy campaign involved using Axios, a widely adopted HTTP client. This campaign succeeded highly, compromising approximately 43% of targeted user accounts.

The attackers combined Axios with adversary-in-the-middle (AiTM) platforms, such as Evilginx, to steal credentials and intercept multi-factor authentication (MFA) tokens and session tokens. This combination of tools significantly increased the potency of the attacks, allowing hackers to manipulate account settings, establish unauthorized access channels, and exfiltrate sensitive data.

The Rise of Node Fetch and Go Resty

In addition to Axios and OkHttp, cybercriminals have also turned to other HTTP client libraries such as Node Fetch and Go Resty. Node Fetch, for instance, is particularly useful for automating large-scale attacks. Despite lacking some of the interception capabilities seen in Axios, Node Fetch has been instrumental in conducting password-spraying attacks by automating the process of attempting thousands of login credentials. One report indicated that over 13 million login attempts were logged, with an average of 66,000 malicious attempts daily.

Similarly, Go Resty—a Go-based HTTP/REST client—appeared briefly but notably in August 2024. Although its use in brute force attacks was short-lived, ceasing by October of the same year, its emergence further illustrates the rapidly evolving nature of the tools employed by cyber adversaries. This shift in the attack landscape emphasizes the necessity for constant vigilance and the adaptation of security measures to counter new threats.

Anatomy of an Account Takeover Attack

Understanding the attack chain is crucial for developing effective defense mechanisms. Typically, the ATO attack chain involving HTTP client tools follows these general steps:

Initial Access via Email-Borne Phishing

The attack usually begins with a phishing email to lure the victim into revealing their credentials. These emails are often sophisticated and targeted, crafted to appear to originate from a trusted source. Once the user interacts with the malicious email, their credentials may be captured.

Exploitation Using Reverse Proxy Toolkits

Once the attacker has obtained valid credentials, the next phase involves using reverse proxy toolkits such as Evilginx. These toolkits intercept the credentials and multi-factor authentication tokens, thereby circumventing the additional security measures in place. The intercepted data provides the attacker with sufficient information to bypass MFA, a critical defense layer.

Customization with HTTP Client Tools

With the necessary data in hand, the attacker leverages HTTP client tools to perform actions consistent with legitimate user behavior. For instance, they might use Axios to create or modify mailbox rules, exfiltrate sensitive data, or even create unauthorized OAuth applications. The versatility of HTTP clients allows these malicious operations to be executed with a high degree of automation and precision, making detection significantly more challenging.

Post-Exploitation Activities

Once the attacker gains control of the account, they may engage in several activities to maintain persistence and further compromise the environment. These activities include altering access permissions, creating secure sharing links for continuous access, and exfiltrating confidential information to external servers. The damage inflicted can be extensive, ranging from data breaches to long-term unauthorized access that can compromise organizational integrity.

Mitigation Strategies and Enhancing Detection

Given the sophistication of these attacks, traditional security measures might not suffice. Organizations must adopt a multi-layered approach to protect against such threats. Below are some recommended strategies to enhance detection and improve overall security posture:

Comprehensive Monitoring of HTTP Traffic

One of the first steps is implementing robust monitoring systems that track your network’s HTTP traffic. Organizations can detect anomalies that may indicate a malicious operation by analyzing user agents and combining this observed data with additional indicators and threat intelligence. Maintaining an updated repository of known malicious HTTP client versions is critical, as this information can serve as a valuable indicator of compromise (IoC).

Enforcing Multi-Factor Authentication (MFA)

While MFA is not entirely foolproof—given that sophisticated attackers can intercept MFA tokens—it remains a crucial security layer. Enforcing MFA for all users significantly reduces the risk of unauthorized access. In addition, educating users on best practices regarding MFA and being vigilant when prompted for additional verification can help mitigate the risk further.

Regular Software Updates and Patch Management

Ensuring that all software, including HTTP client libraries and associated applications, is regularly updated is vital. Cybercriminals often exploit known vulnerabilities in outdated software versions. A proactive patch management strategy can help close these security gaps, reducing the attack surface.

Advanced Threat Detection Solutions

Organizations should invest in advanced threat detection solutions that leverage machine learning and behavioral analytics. These solutions can detect subtle anomalies in user behavior that might indicate a compromised account. By correlating various data points—from HTTP request patterns to login anomalies—these systems can alert security teams to potential threats before significant damage occurs.

Employee Training and Awareness Programs

Many ATO attacks begin with a successful phishing attempt. Therefore, employee training and awareness programs are indispensable. Regular training sessions that educate staff about the latest phishing tactics, the dangers of sharing credentials, and the importance of following security protocols can significantly reduce the risk of an initial compromise.

Detailed Indicators of Compromise

To aid in detecting these sophisticated ATO attacks, it is essential to be familiar with key indicators of compromise related to HTTP client tools. Monitoring these indicators can provide early warning signs of malicious activity:

OkHttp Variants

Several versions of the OkHttp client have been observed in attack campaigns, including okhttp/3.14.7, okhttp/3.14.9, okhttp/4.11.0, and okhttp/4.12.0. Recognizing these user agent strings in your network logs, especially when they appear in generally unexpected contexts, can be a red flag for ongoing ATO attempts.

Python Requests Library

The Python Requests library is widely used for legitimate purposes, but its misuse in cyberattacks is rising. Attackers have been observed using versions ranging from python-requests/2.27.1 to python-requests/2.32.3. Monitoring for unusual or unexpected usage of these versions can help in the early detection of suspicious activities.

Axios and Its Variants

Axios has emerged as one of the preferred HTTP clients for sophisticated attacks. Notable versions that have been identified include Axios/0.21.1, Axios/0.21.4, Axios/1.4.0, and Axios/1.7.5. Given Axios’s effectiveness when combined with AiTM platforms like Evilginx, its presence in network traffic, particularly in unusual contexts, should trigger further investigation.

Node Fetch Utilization

Node Fetch has been leveraged primarily for its ability to automate large-scale password-spraying attacks. Although it lacks some of the more advanced interception capabilities of Axios, its use for automating attacks is concerning. Monitoring for frequent and high-volume login attempts associated with Node Fetch can help detect early signs of a brute force attack.

Go Resty in Brute Force Attacks

Although Go Resty’s appearance was brief in 2024, its use in brute force attacks reminds us of how quickly attackers can shift tactics. The version go-resty/2.14.0 was noted during these attempts. Organizations should remain vigilant and update their threat intelligence to include even short-lived tools that attackers may employ.

Best Practices for Securing Microsoft 365 Environments

Protecting your Microsoft 365 environment against ATO attacks requires a multi-faceted approach. Here are some best practices to consider:

Regular Security Audits

Conduct regular security audits to identify vulnerabilities within your Microsoft 365 setup. This includes reviewing user permissions, monitoring account activities, and promptly applying all security patches. Audits can help reveal weak points that attackers might exploit.

Implementation of Zero Trust Architecture

Adopting a Zero-Trust security model can significantly enhance your defenses. This approach assumes that threats exist both inside and outside the network and mandates continuous verification of every access request. Organizations can limit the potential damage of a compromised account by enforcing strict access controls and ensuring that every request is authenticated and authorized.

Use of Advanced Analytics and AI

Incorporate advanced analytics and AI-driven solutions to monitor network traffic and user behavior continuously. These tools can identify patterns indicative of malicious activity, allowing for rapid response and mitigation. AI can also help dynamically update threat intelligence feeds, ensuring that your defense mechanisms are always current.

Strengthening Endpoint Security

Ensure that endpoint devices accessing Microsoft 365 are secured with up-to-date antivirus software, firewalls, and endpoint detection and response (EDR) solutions. Cybercriminals often exploit vulnerabilities in endpoint devices to gain initial access to network credentials. A robust endpoint security posture can be the first defense against such intrusions.

Enhancing Email Security

Since phishing remains a primary vector for ATO attacks, investing in advanced email security solutions is critical. These solutions should include spam filtering, phishing detection, and URL scanning capabilities to prevent malicious emails from reaching end-users. Additionally, implementing email authentication protocols such as DMARC, DKIM, and SPF can help reduce the risk of spoofed emails.

Conclusion

The use of HTTP client tools in orchestrating account takeover attacks on Microsoft 365 environments is a stark reminder of the evolving threat landscape. Organizations must remain vigilant and proactive in their cybersecurity measures as attackers continue to refine their techniques and diversify their toolsets—from OkHttp and Axios to Node Fetch and Go Resty.

Organizations can better defend themselves against these sophisticated attacks by understanding the methods employed by threat actors, closely monitoring key indicators of compromise, and implementing a multi-layered security strategy that includes robust monitoring, MFA enforcement, regular updates, and employee training.

In an era when cyber threats are increasingly sophisticated and persistent, staying informed and prepared is the best defense. Regularly updating threat intelligence and adapting security practices to emerging challenges are not just best practices—they are essential strategies for protecting your digital assets and ensuring the integrity of your Microsoft 365 environment.

Through comprehensive monitoring, advanced analytics, and a commitment to ongoing security improvements, organizations can build a resilient defense that detects and mitigates the risks posed by these advanced ATO attacks. The continuous evolution of cybersecurity threats demands that we evolve our defenses—ensuring that our digital environments remain secure in the face of an ever-changing threat landscape.

By implementing the strategies discussed in this post and staying abreast of cybercriminals’ latest trends and tools, organizations can take significant steps toward securing their Microsoft 365 environments and preventing the potentially devastating consequences of account takeover attacks.