top of page
Buscar

Axios HTTP Machine Gun Attacks Exploit Microsoft Direct Send for Phishing

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 9 sept
  • 3 Min. de lectura
ree

A new wave of phishing campaigns shows how attackers are transforming trusted enterprise tools into weapons. Unknown threat actors have combined Axios HTTP client activity with Microsoft’s Direct Send feature to build a highly efficient phishing pipeline. Armed with Salty 2FA phishing kits, the campaigns bypass multi-factor authentication, hijack session tokens, and steal Microsoft 365 credentials at enterprise scale. The sophistication of the attack—leveraging spoofed emails, QR-based lures, and cloud-hosted fake logins—underscores how trusted infrastructure can be turned against its users.


Phase 1: Reconnaissance & Targeting 


The operation began by aiming at executives in finance, healthcare, and manufacturing—roles with privileged access to sensitive systems and data. Over time, the campaign expanded to include employees across multiple sectors. The choice of victims reflects a calculated strategy: target leaders first to gain maximum reach, then broaden the campaign to capture the wider workforce. The reliance of these organizations on email, cloud platforms, and internal compensation workflows made them particularly vulnerable to social engineering.


Phase 2: The Entry Vector – Spoofed Emails & Direct Send 


Attackers exploited Microsoft Direct Send, a feature that allows sending mail without authentication, to deliver phishing emails that blended seamlessly into corporate traffic. The emails carried spoofed PDF attachments, often disguised as urgent compensation notices or administrative requests. Inside each PDF was a QR code, which, once scanned, redirected victims to fake Outlook login pages hosted on trusted cloud services such as Google Firebase. This combination gave attackers both legitimacy and stealth, bypassing traditional email defenses.


Phase 3: Breach Mechanism – Axios HTTP & Salty 2FA 


Once victims reached the fake login portals, attackers deployed a Salty 2FA phishing kit, a toolkit capable of capturing multi-factor authentication tokens. Using Axios HTTP requests, the kit relayed login attempts to Microsoft in real-time, allowing attackers to intercept and validate credentials. Beyond stealing usernames and passwords, the kit harvested session tokens, device configurations, and system access details. To evade detection, attackers employed geofencing, IP filtering, and Cloudflare Turnstile validation, ensuring that only selected victims triggered the malicious flow while security researchers were filtered out.


Phase 4: Exploitation – Credential Theft & System Access 


With valid tokens in hand, attackers escalated their foothold:

  • Hijacking sessions to access Microsoft 365 environments.

  • Exfiltrating credentials and configuration data to map out systems.

  • Using persistence mechanisms to maintain access even if passwords were reset. This level of access enabled not only corporate espionage but also potential lateral movement across cloud services and financial fraud.


Phase 5: Persistence & Evasion 


Unlike traditional phishing kits, this campaign demonstrated enterprise-grade resilience. The attackers leveraged trusted cloud services (Firebase, Cloudflare) to mask their operations. They rotated phishing domains dynamically, making blacklists ineffective. They also used Axios HTTP traffic patterns that mimicked legitimate client activity, hiding in the noise of normal cloud communications. Together, these measures gave the operation longevity and stealth rarely seen in mass phishing campaigns.


Defense – Stopping the Machine Gun 


Organizations need to treat this campaign as a wake-up call. Defensive measures include:

  • Securing or disabling Microsoft Direct Send to prevent abuse.

  • Enforcing anti-spoofing policies (SPF, DKIM, DMARC) across all mail flows.

  • Training staff to recognize and distrust urgent PDF or QR-based attachments, even when they appear legitimate.

  • Blocking suspicious domains and monitoring for anomalies in Axios HTTP requests.

  • Auditing authentication flows to detect unusual token use or MFA bypass attempts.


These actions, combined with layered EDR monitoring and immutable logging, can expose the hidden “machine gun fire” behind this phishing pipeline.


The Axios + Direct Send campaign demonstrates a critical truth in modern cyber defense: attackers no longer need new vulnerabilities when they can weaponize trusted tools. By blending spoofed communications, advanced 2FA phishing kits, and legitimate cloud infrastructure, the threat actors behind this campaign turned corporate workflows into a conveyor belt for credential theft. For defenders, the lesson is clear: security must extend beyond patching flaws—it must anticipate the creative misuse of legitimate systems. Organizations that fail to adapt may find their most trusted tools repurposed as weapons against them.



 
 
 

Comentarios

bottom of page