Cybercriminals are increasingly using legal client tools HTTP to facilitate the absorption attack attacks (ATO) on the Microsoft 365 environment.
ENTERPRISE Security Company ProfofPoint said that there are companies used by HTTP Clients Axios and Node to send HTTP -interrogations and receive http -regions from the ATO attacks.
“Initially, derived from public repositories such as GitHub, these tools are increasingly used in attacks such as the Medium (AITM) and the methods of gross forces, leading to numerous incidents (ATO),” Anna Akslevich’s security researcher – Note.
Use of HTTP client tools for the attack attacks has become a long -observed trend since February 2018, and consistent iterations have been using Okhttp customer options to focus on the Microsoft 365 environment at least before the beginning of 2024.
But by March 2024, ProfofPoint said he began to observe a wide range of customers http, which were gaining cravings, and the attacks scale a new maximum, so 78% of Microsoft 365 tenants were directed at least once, attempts at the second half of the last half of the last half of the last half Year.
“In May 2024, these attacks reached the maximum, using millions of captured residential IPS to focus on cloud accounts,” Akslevich said.
The volume and variety of these attempts indicate the emergence of HTTP customers such as Axios, Go Resty, Node Fetch and Python, and those who combine accurate targeting with AITM methods reaching a higher compromise rate.
Axios, according to the point designed for Node.js and browsers and can be combined with AITM platforms, such as Villignx to enable account theft and multifactorial authentication code (MFA).
The threat subjects were also noted by setting new mailbox rules to hide malicious activities, theft of sensitive data and even registration of the new Oauth application with excessive permits to establish a constant remote access environment.
Axios is said to have mainly highlighted high -cost goals such as executives, financial officers, accounts and operational transport staff, construction, finance, IT and vertical health.
More than 51% of targeted organizations were estimated successfully between June to November 2024, which violates 43% of the target users’ target accounts.
Cybersecurity company said it also revealed a large -scale password spraying company using Node and Go Resty customers, writing at least 13 million entry attempts since June 9, 2024, an average of 66,000 harmful attempts per day. However, the success level remained low, affecting only 2% of the target entities.
Today, more than 178,000 target users’ targeted accounting accounts have been identified, most of which belong to the education sector, in particular, students who are likely to be less protected and may be armed for other companies or sold by different sub ‘The threat.
“The ATO’s threat tools have developed significantly, and the HTTP’s various client tools used to operate the API and the HTTP question,” Akselievich said. “These tools offer different benefits, making the attacks more effective.”
“Given this trend, the attackers are likely to continue to switch between HTTP clients, adaptation of strategies to use new technologies and evading identification, which reflects a broader picture of constant evolution to improve their efficiency and minimize impact.”
