Threat actors are abusing HTTP client tools like Axios in conjunction with Microsoft’s Direct Send feature to form a “highly efficient attack pipeline” in recent phishing campaigns, according to new findings from ReliaQuest.
“Axios user agent activity surged 241% from June to August 2025, dwarfing the 85% growth of all other flagged user agents combined,” the cybersecurity company said in a report shared with The Hacker News. “Out of 32 flagged user agents observed in this timeframe, Axios accounted for 24.44% of all activity.”
The abuse of Axios was previously flagged by Proofpoint in January 2025, detailing campaigns utilizing HTTP clients to send HTTP requests and receive HTTP responses from web servers to conduct account takeover (ATO) attacks on Microsoft 365 environments.
ReliaQuest told The Hacker News that there is no evidence to suggest these activities are related, adding that the tool is regularly exploited alongside popular phishing kits. “The usefulness of Axios means it is almost certainly being adopted by all types of threat actors regardless of sophistication levels or motivation,” the company added.
Similarly, phishing campaigns have also been observed increasingly using a legitimate feature in Microsoft 365 (M365) called Direct Send to spoof trusted users and distribute email messages.
In amplifying Axios abuse through Microsoft Direct Send, the attack aims to weaponize a trusted delivery method to ensure that their messages slip past secure gateways and land in users’ inboxes. Indeed, attacks that paired Axios with Direct Send have been found to achieve a 70% success rate in recent campaigns, surging past non-Axios campaigns with “unparalleled efficiency.”
The campaign observed by ReliaQuest is said to have commenced in July 2025, initially singling out executives and managers in finance, health care, and manufacturing sectors, before expanding its focus to target all users.
Calling the approach a game changer for attackers, the company pointed out that the campaign not only is successful at bypassing traditional security defenses with improved precision, but also enables them to mount phishing operations at an unprecedented scale.
In these attacks, Axios is used to intercept, modify, and replay HTTP requests, thereby making it possible to capture session tokens or multi-factor authentication (MFA) codes in real-time or exploit SAS tokens in Azure authentication workflows to gain access to sensitive resources.
“Attackers use this blind spot to bypass MFA, hijack session tokens, and automate phishing workflows,” ReliaQuest said. “The customizability offered by Axios lets attackers tailor their activity to further mimic legitimate workflows.”
The email messages involve using compensation-themed lures to trick recipients into opening PDF documents containing malicious QR codes, which, when scanned, direct users to fake login pages mimicking Microsoft Outlook to facilitate credential theft. As an extra layer of defense evasion, some of these pages are hosted on Google Firebase infrastructure to capitalize on the reputation of the app development platform.
Besides lowering the technical barrier for sophisticated attacks, Axios’s prevalence in enterprise and developer setups also means that it offers attackers a way to blend in with regular traffic and fly under the radar.
To mitigate the risk posed by this threat, organizations are advised to secure Direct Send and disable it if not required, configure appropriate anti-spoofing policies on email gateways, train employees to recognize phishing emails, and block suspicious domains.
“Axios amplifies the impact of phishing campaigns by bridging the gap between initial access and full-scale exploitation. Its ability to manipulate authentication workflows and replay HTTP requests allows attackers to weaponize stolen credentials in ways that are both scalable and precise.”
“This makes Axios integral to the rising success of Direct Send phishing campaigns, showing how attackers are evolving beyond traditional phishing tactics to exploit authentication systems and APIs at a level that traditional defenses are ill-equipped to handle.”
The development comes as Mimecast detailed a large-scale credential harvesting campaign targeting hospitality industry professionals by impersonating trusted hotel management platforms Expedia Partner Central and Cloudbeds in emails that claim to be guest booking confirmations and partner central notifications.
“This credential harvesting operation leverages the routine nature of hotel booking communications,” the company said. “The campaign employs urgent, business-critical subject lines designed to prompt immediate action from hotel managers and staff.”
The findings also follow the discovery of an ongoing campaign that has employed a nascent phishing-as-a-service (PhaaS) offering called Salty 2FA to steal Microsoft login credentials and sidestep MFA by simulating six different methods: SMS authentication, authenticator apps, phone calls, push notifications, backup codes, and hardware tokens.
The attack chain is notable for leveraging services like Aha[.]io to stage initial landing pages that masquerade as OneDrive sharing notifications to deceive email recipients and trick them into clicking on fake links that redirect to credential harvesting pages, but not before completing a Cloudflare Turnstile verification check to filter automated security tools and sandboxes.
The phishing pages also include other advanced features like geofencing and IP filtering to block traffic from known security vendor IP address ranges and cloud providers, disable shortcuts to launch developer tools in web browsers, and assign new subdomains for each victim session. In incorporating these techniques, the end goal is to complicate analysis efforts.
These findings illustrate how phishing attacks have matured into enterprise-grade operations, utilizing advanced evasion tactics and convincing MFA simulations, while exploiting trusted platforms and mimicking corporate portals to make it harder to distinguish between real and fraudulent activity.
“The phishing kit implements dynamic branding functionality to enhance social engineering effectiveness,” Ontinue said. “Technical analysis reveals the malicious infrastructure maintains a corporate theme database that automatically customizes fraudulent login interfaces based on victim email domains.”
“Salty2FA demonstrates how cybercriminals now approach infrastructure with the same methodical planning that enterprises use for their own systems. What makes this particularly concerning is how these techniques blur the line between legitimate and malicious traffic.”
