Recent cybersecurity analyses have unveiled a significant uptick in the misuse of HTTP client tools, notably Axios, in tandem with Microsoft’s Direct Send feature, to orchestrate highly efficient phishing campaigns targeting Microsoft 365 users. This trend underscores a growing sophistication in cyber threats, necessitating heightened vigilance and proactive defense strategies.
Surge in Axios Utilization
Axios, a popular HTTP client for making HTTP requests and handling responses, has seen a dramatic increase in malicious activity. Between June and August 2025, Axios-related user agent activity surged by 241%, overshadowing the 85% growth observed in other flagged user agents combined. Out of 32 identified user agents during this period, Axios accounted for nearly a quarter of all activity.
This escalation was initially highlighted by Proofpoint in January 2025, which detailed campaigns leveraging HTTP clients like Axios to execute account takeover (ATO) attacks on Microsoft 365 environments. Despite these earlier warnings, the exploitation of Axios has continued unabated, with threat actors integrating it into their attack arsenals to enhance the effectiveness of their phishing campaigns.
Abuse of Microsoft’s Direct Send Feature
In addition to Axios, cybercriminals have been exploiting Microsoft’s Direct Send featureāa legitimate function within Microsoft 365 that allows devices to send emails directly to recipients without the need for authentication. By abusing this feature, attackers can spoof trusted users and distribute phishing emails that are more likely to bypass security gateways and reach users’ inboxes.
The combination of Axios with Direct Send has proven particularly potent. Campaigns employing this duo have achieved a 70% success rate, significantly surpassing the efficiency of non-Axios campaigns. This synergy enables attackers to deliver malicious payloads with unprecedented precision and scale.
Evolution of Phishing Campaigns
The observed phishing campaigns began in July 2025, initially targeting executives and managers within the finance, healthcare, and manufacturing sectors. Over time, the scope expanded to include a broader range of users, reflecting the attackers’ adaptive strategies and the scalable nature of their methods.
These campaigns often employ compensation-themed lures, enticing recipients to open PDF documents containing malicious QR codes. When scanned, these QR codes redirect users to counterfeit login pages designed to mimic Microsoft Outlook, facilitating the theft of credentials. To further evade detection, some of these phishing pages are hosted on reputable platforms like Google Firebase, exploiting the trust associated with such services.
Technical Mechanisms and Implications
The technical sophistication of these attacks is noteworthy. By utilizing Axios, attackers can intercept, modify, and replay HTTP requests in real-time. This capability allows them to capture session tokens or multi-factor authentication (MFA) codes, effectively bypassing security measures designed to protect user accounts. Additionally, the exploitation of Shared Access Signature (SAS) tokens in Azure authentication workflows grants unauthorized access to sensitive resources.
The widespread use of Axios in legitimate enterprise and developer environments further complicates detection efforts. Its prevalence allows malicious activities to blend seamlessly with regular traffic, enabling attackers to operate under the radar and evade traditional security defenses.
Mitigation Strategies
To counteract these advanced phishing tactics, organizations should implement a multifaceted approach:
1. Secure Direct Send Feature: Evaluate the necessity of the Direct Send feature within your organization. If it’s not essential, consider disabling it to prevent potential abuse.
2. Configure Anti-Spoofing Policies: Establish robust anti-spoofing policies on email gateways to detect and block emails that attempt to impersonate trusted users.
3. Employee Training: Conduct regular training sessions to educate employees on recognizing phishing emails, especially those containing unexpected attachments or QR codes.
4. Monitor and Block Suspicious Domains: Implement monitoring tools to identify and block domains associated with phishing activities.
5. Enhance MFA Protocols: While MFA is a critical security measure, ensure that it is implemented in a manner resistant to interception, such as using hardware tokens or app-based authenticators that are less susceptible to real-time attacks.
6. Regular Security Audits: Conduct periodic security audits to identify and remediate vulnerabilities within your organization’s infrastructure.
Conclusion
The exploitation of tools like Axios and features such as Microsoft’s Direct Send in phishing campaigns represents a significant evolution in cyber threats targeting Microsoft 365 users. These sophisticated tactics underscore the necessity for organizations to adopt comprehensive and proactive security measures. By understanding the mechanisms of these attacks and implementing robust defense strategies, organizations can better protect themselves against the ever-evolving landscape of cyber threats.
