Threat actors are increasingly exploiting user-friendly HTTP client tools like Axios in their phishing campaigns, leveraging Microsoft’s Direct Send feature to create a highly effective attack strategy. Recent reports from ReliaQuest reveal a notable surge in Axios usage, with a dramatic 241% increase in its activity recorded from June to August 2025. This rise highlights its significance among various flagged user agents, with Axios accounting for a remarkable 24.44% of all documented activity in this timeframe.
Previously, the misuse of Axios was indicated back in January 2025 by Proofpoint, which noted its role in automated account takeover (ATO) attacks aimed at Microsoft 365 environments. ReliaQuest has established that although there is no direct correlation implied between these activities, the utility of Axios makes it a popular choice among both sophisticated and less experienced threat actors.
Phishing campaigns have also begun to take advantage of Microsoft’s Direct Send—a feature that allows emails to be sent seamlessly— to exploit trusted users. By blending Axios with Direct Send, attackers can utilize a reliable delivery method to bypass security measures and ensure their messages reach intended targets. This combined approach has reportedly resulted in a 70% success rate for phishing attempts that employed this strategy.
Initially, these attacks targeted executives and managers within finance, healthcare, and manufacturing sectors starting in July 2025, though the scope of targeting has since broadened to encompass all users.
This method is being recognized as a significant evolution in phishing tactics, effectively overcoming traditional security defenses with increased precision. The methodology allows attackers to execute phishing operations on a much larger scale, employing Axios to intercept and manipulate HTTP requests. This enables them to capture sensitive information such as session tokens or multi-factor authentication (MFA) codes as they occur or exploit Azure SAS tokens to achieve unauthorized access.
As part of the lures in these phishing emails, attackers present compensation-themed messages that prompt recipients to open PDF documents embedded with malicious QR codes. When scanned, these QR codes direct users to counterfeit login pages mimicking Microsoft Outlook, effectively facilitating credential theft. To further evade detection, some of these fraudulent sites utilize Google Firebase infrastructure, benefiting from its established credibility.
Axios’s prevalence among enterprise and developer setups not only lowers the technical barriers for carrying out sophisticated phishing attacks but also provides a means for attackers to blend in with regular traffic patterns to minimize suspicion.
To mitigate these risks, organizations are advised to secure the Direct Send feature, disable it as necessary, implement anti-spoofing policies for email gateways, and conduct training to help employees recognize phishing attempts.
The dynamic introduced by Axios signifies a shift in phishing campaign strategies, enabling attackers to manipulate authentication workflows and replay HTTP requests, thereby allowing the weaponization of stolen credentials in increasingly precise ways. Attackers are systematically evolving their techniques to exploit authentication systems and APIs in manners that traditional defenses find challenging to counter.
The need for businesses to stay vigilant against such sophisticated phishing strategies becomes even more critical as credential harvesting campaigns intensify, evidenced by recent activities targeting professionals in the hospitality sector through impersonated communications from trusted hotel management platforms.
In summary, the landscape of phishing attacks is rapidly adapting, with threat actors employing advanced evasion tactics and sophisticated social engineering schemes to effectively target unwitting users while operating under the guise of legitimate services.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.