Introduction
Cybercriminals are increasingly exploiting legitimate HTTP client tools to execute account takeover (ATO) attacks on Microsoft 365 environments [1] [2] [4]. This trend highlights the growing sophistication and adaptability of threat actors in leveraging these tools for malicious purposes.
Description
Cybercriminals are increasingly repurposing legitimate HTTP client tools [1] [2] [3] [4], such as those emulating XMLHttpRequest and Node.js HTTP requests [3], to carry out account takeover (ATO) attacks on Microsoft 365 environments [1] [2] [4]. In 2024, 78% of Microsoft 365 tenants experienced at least one ATO attempt involving a distinct HTTP client [1] [2], reflecting a 7% increase compared to the previous six months [1] [2]. In early 2024 [3], OkHttp variants were dominant among these tools, but by March 2024 [3], a broader range of HTTP clients gained traction.
These tools [3], often sourced from public repositories like GitHub [3], are utilized in various attack methods, including Adversary-in-the-Middle (AitM) and brute force techniques [3]. Newly observed clients, such as ‘python-request,’ have been integrated into brute force attack chains [3], significantly increasing the volume and diversity of threats [3]. In May 2024 [3], these attacks peaked [3], leveraging millions of hijacked residential IPs to target cloud accounts [3].
While most HTTP-based ATO attacks are brute force attempts with low success rates [3], a recent campaign utilizing the Axios HTTP client achieved a notable monthly average success rate of 43% in compromising user accounts [3], primarily targeting executives and high-value users across various industries [4]. This effectiveness is attributed to its ability to overcome modern security measures like multifactor authentication (MFA) through traffic interception and transformation, enabling the theft of credentials, MFA tokens [3], and session tokens when paired with AitM platforms like Evilginx [3].
Attackers have also registered new OAuth applications with excessive permission scopes [3], including full mail access and offline access [3], to maintain persistent access to sensitive resources within compromised environments [3]. Node-fetch has been primarily employed for large-scale brute force attacks, particularly against educational institutions [4], with threat actors utilizing extensive operational infrastructure and frequently rotating IP addresses to evade detection [3]. Since June 9, 2024 [3], this ongoing attack has logged over 13 million login attempts [3], averaging more than 66,000 malicious attempts daily [3].
The tools used by threat actors for ATO attacks have evolved significantly [3], with various HTTP client tools exploited for API interactions and HTTP requests [3]. These advancements enhance the efficiency of attacks [3], and attackers are likely to continue adapting their strategies to leverage new technologies and evade detection [3], reflecting a pattern of constant evolution aimed at improving their effectiveness and minimizing exposure [3].
Conclusion
The increasing use of legitimate HTTP client tools in ATO attacks underscores the need for enhanced security measures and vigilance. Organizations must prioritize the implementation of robust security protocols, including advanced threat detection systems and regular security audits, to mitigate these evolving threats. As cybercriminals continue to adapt and refine their techniques, staying informed and proactive is crucial to safeguarding sensitive information and maintaining the integrity of digital environments.
References
[1] https://www.infosecurity-magazine.com/news/attackers-increase-use-http/
[2] https://ciso2ciso.com/attackers-increase-use-of-http-clients-for-account-takeovers-source-www-infosecurity-magazine-com/
[3] https://www.proofpoint.com/us/blog/threat-insight/http-client-tools-exploitation-account-takeover-attacks
[4] https://blog.netmanageit.com/http-client-tools-exploitation-for-account-takeover-attacks/
