Cybercriminals Use Go Resty and Node Fetch in 13 Million Password Spraying Attempts
Cybercriminals are increasingly leveraging legitimate HTTP client tools to facilitate account takeover (ATO) attacks on Microsoft 365 environments.
Enterprise security company Proofpoint said it observed campaigns using HTTP clients Axios and Node Fetch to send HTTP requests and receive HTTP responses from web servers with the goal of conducting ATO attacks.
"Originally sourced from public repositories like GitHub, these tools are increasingly used in attacks like Adversary-in-the-Middle (AitM) and brute force techniques, leading to numerous account takeover (ATO) incidents," security researcher Anna Akselevich said.
The use of HTTP client tools for brute-force attacks has been a long-observed trend since at least February 2018, with successive iterations employing variants of OkHttp clients to target Microsoft 365 environments at least until early 2024.
But by March 2024, Proofpoint said it began to observe a wide range of HTTP clients gaining traction, with the attacks scaling a new high such that 78% of Microsoft 365 tenants were targeted at least once by an ATO attempt by the second half of last year.
"In May 2024, these attacks peaked, leveraging millions of hijacked residential IPs to target cloud accounts," Akselevich said.
The volume and diversity of these attack attempts is evidenced by the emergence of HTTP clients such as Axios, Go Resty, Node Fetch, and Python Requests, with those combining precision targeting with AitM techniques achieving a higher compromise rate.
Axios, per Proofpoint, is designed for Node.js and browsers and can be paired with AitM platforms like Evilginx to enable theft of credentials and multi-factor authentication (MFA) codes.
The threat actors have also been observed setting up new mailbox rules to conceal evidence of malicious activities, stealing sensitive data, and even registering a new OAuth application with excessive permission scopes to establish persistent remote access to the compromised environment.
The Axios campaign is said to have primarily singled out high-value targets like executives, financial officers, account managers, and operational staff across transportation, construction, finance, IT, and healthcare verticals.
Over 51% of the targeted organizations have been assessed to be successfully impacted between June and November 2024, compromising 43% of targeted user accounts.
The cybersecurity company said it also detected a large-scale password spraying campaign using Node Fetch and Go Resty clients, recording no less than 13 million login attempts since June 9, 2024, averaging over 66,000 malicious attempts per day. The success rate, however, remained low, affecting only 2% of targeted entities.
More than 178,000 targeted user accounts across 3,000 organizations have been identified to date, a majority of which belong to the education sector, particularly student user accounts that are likely to be less protected and can be weaponized for other campaigns or sold to different threat actors.
"Threat actors' tools for ATO attacks have greatly evolved, with various HTTP client tools used for exploiting APIs and making HTTP requests," Akselevich said. "These tools offer distinct advantages, making attacks more efficient."
"Given this trend, attackers are likely to continue switching between HTTP client tools, adapting strategies to leverage new technologies and evade detection, reflecting a broader pattern of constant evolution to enhance their effectiveness and minimize exposure."
Backline Tackles Enterprise Security Backlogs With AI
Silent Lynx Using PowerShell, Golang, and C++ Loaders in Multi-Stage Cyberattacks
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')
CWE-403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
CWE-146 Improper Neutralization of Expression/Command Delimiters
CWE-406 Insufficient Control of Network Message Volume (Network Amplification)
CWE-1043 Data Element Aggregating an Excessively Large Number of Non-Primitive Elements
Free online web security scanner
