Axios Abuse and Salty 2FA Kits Fuel Advanced Microsoft 365 Phishing Attacks

Threat actors are abusing HTTP client tools like Axios in conjunction with Microsoft’s Direct Send feature to form a “highly efficient attack pipeline” in recent phishing campaigns, according to new findings from ReliaQuest.

In amplifying Axios abuse through Microsoft Direct Send, the attack aims to weaponize a trusted delivery method to ensure that their messages slip past secure gateways and land in users’ inboxes. Indeed, attacks that paired Axios with Direct Send have been found to achieve a 70% success rate in recent campaigns, surging past non-Axios campaigns with “unparalleled efficiency.”

In these attacks, Axios is used to intercept, modify, and replay HTTP requests, thereby making it possible to capture session tokens or multi-factor authentication (MFA) codes in real-time or exploit SAS tokens in Azure authentication workflows to gain access to sensitive resources.

The phishing pages also include other advanced features like geofencing and IP filtering to block traffic from known security vendor IP address ranges and cloud providers, disable shortcuts to launch developer tools in web browsers, and assign new subdomains for each victim session. In incorporating these techniques, the end goal is to complicate analysis efforts.

To read the complete article see: https://thehackernews.com/2025/09/axios-abuse-and-salty-2fa-kits-fuel.html