
Proofpoint research reveals a growing trend of cybercriminals exploiting legitimate HTTP client tools to orchestrate account takeover (ATO) attacks. Attackers are increasingly leveraging tools that emulate XMLHttpRequest and Node.js HTTP requests to compromise Microsoft 365 environments. These attacks, often employing Adversary-in-the-Middle (AitM) and brute force techniques, have led to numerous ATO incidents.
Proofpoint’s analysis highlights the evolution of this trend since 2018, when a campaign using the OkHttp client targeted high-value Microsoft 365 accounts. This campaign persisted for nearly four years, relying on compromised credentials from breaches like the 2016 LinkedIn leak.
While OkHttp variants initially dominated the landscape, 2024 saw a diversification of HTTP clients used in ATOs, including ‘python-request’, Axios, and Node Fetch. These attacks often involve brute force attempts with low success rates, but Proofpoint also identified more targeted campaigns.
One such campaign utilized the Axios HTTP client in conjunction with AitM platforms like Evilginx to steal credentials, MFA tokens, and session tokens. This approach achieved a significant monthly average success rate of 38% in compromising user accounts.
Another campaign leveraged Node-fetch for large-scale password spraying attacks, logging over 13 million login attempts since June 2024. Despite its scale, this campaign had a low success rate, impacting only 2% of targeted organizations.
Attackers prioritized executives, financial officers, and IT administrators—roles with access to sensitive data and financial systems.
From June to November 2024, HTTP client-based ATO campaigns successfully:
🔹 Compromised 43% of targeted user accounts
🔹 Breached 51% of targeted organizations
Industries most affected:
🏦 Finance – Targeting high-value accounts for wire fraud & invoice manipulation
🏗️ Construction & Transportation – Compromising cloud storage & project management apps
📡 IT & Tech Firms – Seeking intellectual property and internal credentials
Proofpoint recommends that organizations combine observed user-agents with additional threat intelligence to enhance detection capabilities and protect against these evolving threats.