IT Brief US - Technology news for CIOs & IT decision-makers
United States

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Email phishing attack computer screen hook envelope cybersecurity threats
#
MFA
#
Phishing
#
Advanced Persistent Threat Protection

Axios-driven phishing soars 241% as attackers bypass defences

Today
Author image
By Shannon Williams, Journalist

ReliaQuest has published a new report detailing an anomalous surge in stolen credentials attributed to mass-automated phishing attacks leveraging the Axios user agent and Microsoft Direct Send.

The report found that the Axios user agent, a lightweight HTTP client often used in web and application development, experienced a 241% increase in suspicious activity between June and August 2025. This spike sharply contrasted with the 85% growth observed across all other flagged user agents combined. Axios accounted for 24.44% of all user agent activity in the period, making it ten times more common than any other user agent tracked by ReliaQuest.

Attackers have been pairing Axios with Microsoft Direct Send, a trusted email delivery tool, to enhance the effectiveness of credential theft campaigns. In the most recent tracked campaigns, this combination resulted in the successful theft of credentials in 70% of incidents. In comparison, Axios-powered attacks held an average 58% success rate over three months, whereas campaigns not using Axios achieved just 9.3%, according to ReliaQuest findings.

Expanding targets

Initially, the attacks primarily targeted high-profile employees, including executives and managers within the finance, health care, and manufacturing sectors. In August, the focus widened to encompass everyday users, further increasing the scope and potential impact of these campaigns.

ReliaQuest stated: "ReliaQuest has identified an anomalous surge in stolen credentials that likely indicates mass-automated phishing activity. Our investigation points to a rapidly evolving threat: attackers exploiting the Axios user agent - a lightweight, promise-based HTTP client - to automate phishing and credential-stealing at unprecedented scale. In recent campaigns, Axios abuse was amplified through Microsoft Direct Send, a trusted email delivery method that helps phishing traffic slip past secure gateways."

The report also highlights the likelihood that Axios will remain a popular tool for attackers, given its adaptability and the advantages it offers for automating and scaling attacks.

Why Axios?

Axios provides attackers with the ability to quickly deploy, adapt, and automate phishing campaigns, outperforming older tools such as Python's requests library or curl. Axios supports asynchronous workflows and interceptors, allowing manipulation and replay of HTTP requests. This capability is particularly useful for bypassing multi-factor authentication (MFA) and interacting with APIs during attacks.

ReliaQuest observed that Axios was frequently used to capture session tokens or MFA codes through advanced phishing methods. The exploitation included use of Shared Access Signature (SAS) tokens within Azure authentication to gain unauthorised access to sensitive resources.

"At the heart of the 241% surge in activity, Axios lets attackers juggle tasks like sending HTTP requests, stealing credentials, and hitting APIs all at once. The result is more victims, less effort," the report stated.

Bypassing traditional defences

The popularity of Axios in everyday development work has created a 'blind spot' for many organisations, as security tools often trust Axios traffic. This makes it challenging for traditional defences such as user-agent analysis or reputation-based filtering to effectively detect malicious activity. Attackers mimic legitimate workflows by blending malicious Axios activity with normal development traffic, increasing the likelihood of bypassing security controls.

ReliaQuest noted: "Traditional defenses like user-agent analysis and reputation-based filters are failing against Axios-powered attacks, leaving organizations exposed."

Exploiting trusted delivery and QR codes

Email security systems often implicitly trust communications delivered through Microsoft Direct Send, as these typically come from Microsoft IP addresses. This trust allows attackers to distribute phishing emails that appear legitimate and originate from seemingly credible sources. When combined with Axios, backend processes such as intercepting multi-factor authentication tokens and validating stolen credentials are streamlined and automated at scale.

The campaigns have increasingly used QR codes embedded in PDF attachments and emails with enticing subject lines to initiate phishing. QR codes often evade rigorous scanning by security tools, redirecting victims to phishing domains or Firebase-hosted applications that impersonate Microsoft login portals. These domains are often created to be short-lived and disposable, making it difficult for defenders to blacklist them permanently.

Defensive recommendations

ReliaQuest recommends a series of steps to bolster defences against Axios-powered campaigns. These include disabling or tightly controlling Microsoft Direct Send where possible, enforcing anti-spoofing policies on email gateways, blocking suspicious top-level domains, and increasing user training and awareness around phishing threats.

The company also advises organisations to prepare before disabling Direct Send to avoid unintentional disruption of legitimate email services. Steps include ensuring all devices and systems use authenticated email protocols and enforcing authentication standards such as SPF, DKIM, and DMARC.

Regarding API security, ReliaQuest suggests hardening controls through advanced rate-limiting, input validation, IP abuse detection, and stronger authentication methods such as OAuth 2.0. Proactive vulnerability testing is recommended to identify and resolve potential weaknesses before attackers can exploit them.

"The sharp rise in Direct Send abuse tied to the Axios user agent highlights the danger of relying solely on common defenses like MFA. When these measures are bypassed, detecting follow-on activity becomes critical. Missing this activity gives attackers time to increase their foothold, move laterally, and cause more damage. Acting quickly and decisively on suspicious activity is key to limiting the scale of an attack and minimizing its impact," the report warned.

ReliaQuest added that as automated methodologies such as those facilitated by Axios become more prevalent, chief information security officers and security teams should adapt their strategies to defend against multi-stage, automated API attacks that are likely to increase in both frequency and sophistication.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Databricks secures USD $1 billion to boost AI & hits USD $100 billion value
JFrog unifies compliance with new evidence partners for AppTrust
Icertis launches Vera AI agents to transform contract management
PDFFlex automates extraction & validation for complex PDFs
Semarchy launches flexible Data Platform with AI & DataOps focus

Top stories

Nasuni expands global R&D with new innovation centre in Hyderabad
Wavelo unveils solution to unlock legacy telecom data for AI
SentinelOne to acquire Observo AI to boost AI-native security data
TetraLogical launches self-led online courses in digital accessibility
Siemens joins CHERI Alliance to boost cybersecurity in EDA sector