According to new ReliaQuest research, threat actors have abused HTTP client tools like Axios alongside Microsoft’s Direct Send capabilities, forming a “very efficient attack pipeline” in recent phishing campaigns.
“Axios User Agent Activity has skyrocketed 241% between June and August 2025, and has increased the growth of 85% for all other flagged user agents,” the cybersecurity company said in a report shared with Hacker News. “Of the 32 flagged user agents observed in this time frame, Axios accounted for 24.44% of all activities.”
Axios abuse was previously flagged by ProofPoint in January 2025, using an HTTP client to send HTTP requests, receiving HTTP responses from a web server, and implementing an account takeover (ATO) attack in a Microsoft 365 environment.
ReliaQuest told Hacker News that there was no evidence to suggest that these activities were related, adding that the tool is regularly misused alongside popular phishing kits. “The usefulness of Axios means it is almost certainly adopted by all types of threat actors, regardless of their level of refinement or motivation,” the company added.
Similarly, it is increasingly observed that phishing campaigns use the legal features of Microsoft 365 (M365) to send directly to trustworthy users and distribute email messages.
When amplifying Axios abuse via Microsoft Direct Send, the attack aims to weaponize trustworthy delivery methods, ensuring messages pass through a secure gateway and land in the user’s inbox. In fact, a recent campaign has been discovered where direct-send and paired axios directly sent attacks have surged past non-axis campaigns with “unparalleled efficiency”.
The campaign observed by ReliaQuest is said to have started in July 2025, initially independent executives and managers in the finance, healthcare and manufacturing sectors, and has since focused on all users.
Calling this approach an attacker’s game changer, the company noted that the campaign not only managed to improve accuracy and bypass traditional security defenses, but also allows it to carry out phishing operations on an unprecedented scale.
In these attacks, Axios is used to intercept, modify, and replay HTTP requests, allowing you to capture session tokens or multifactor authentication (MFA) code in real time, and enable you to use SAS tokens in Azure authentication workflows to access sensitive resources.
“Attackers use this blind spot to bypass MFA, hijack session tokens, and automate phishing workflows,” ReliaQuest said. “The customizability provided by Axios allows attackers to adjust their activities and further mimic legitimate workflows.”
Email messages include using compensation-themed lures to trick recipients into opening PDF documents containing malicious QR codes. This will cause users to forge login pages that mimic Microsoft Outlook and promote qualification theft if scanned. As an extra layer of defense evasion, some of these pages are hosted on Google Firebase infrastructure to leverage the reputation of the app development platform.
In addition to lowering the technical barriers to sophisticated attacks, the prevalence in Axios’ enterprise and developer setups means it provides attackers with a way to blend in with normal traffic and fly under the radar.
To mitigate the risk poses by this threat, organizations are encouraged to ensure direct transmissions and disable them if they are not necessary. We recommend configuring the appropriate anti-spoofing policies in your email gateway, training employees to recognize phishing emails, and blocking suspicious domains.
“Axios amplifies the impact of phishing campaigns by filling the gap between early access and full-scale exploitation. The ability to manipulate authentication workflows and replay HTTP requests allows attackers to weaponize stolen qualifications in a scalable and accurate way.”
“This makes Axios essential to the success of direct outbound phishing campaigns, demonstrating how attackers are leveraging authentication systems and APIs beyond traditional phishing tactics to a level where traditional defenses cannot handle.”
The development occurs as MIMECAST has detailed a massive qualification harvesting campaign targeting hospitality industry experts, impersonating Expedia Partner Central and Cloudbeds, a trusted hotel management platform that claims to be guest booking confirmations and partner central notifications.
“The harvesting operations of this qualification take advantage of the routine nature of hotel booking communications,” the company said. “The campaign employs an urgent business critical subject line designed to encourage immediate action from hotel managers and staff.”
The findings also steal Microsoft login credentials and side step MFA, following the discovery of an ongoing campaign that adopted the provision of a newfound phishing (PHAAS) called SALTY 2FA, and organize SMS authentication, authentication apps, phones, notifications, backup codes, and hardware.
Attack chains are notable for leveraging services like AHA (.) IO to deceive email recipients, click fake links that redirect them to the qualification harvest page, and stage the initial landing page to trick email recipients, click on fake links that redirect them to the qualification harvest page, and then complete the CloudFlare TurnStile validation check to filter automated security tools and sandboxes.
The phishing page also includes known security vendor IP address ranges and other advanced features such as geofencing and IP filtering that block traffic from cloud providers. Incorporating these methods, the ultimate goal is to complicate the analytical effort.
These findings show how phishing attacks have matured into enterprise-grade operations. This makes it difficult to draw on advanced evasion tactics and persuasive MFA simulations, leverage trustworthy platforms, mimic the corporate portal to distinguish between real and fraudulent activities.
“The phishing kit implements dynamic branding capabilities to improve the effectiveness of social engineering,” Ontinue said. “Technical analysis shows that malicious infrastructure maintains a corporate theme database that automatically customizes rogue login interfaces based on the victim’s email domain.”
“Salty2FA shows how cybercriminals now approach infrastructure in the same systematic plan that companies use for their own systems. What is particularly concerning this is how these technologies blur the line between legitimate and malicious traffic.”
