CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Axios and Direct Send Abuse in Microsoft 365 Phishing Campaigns

First reported
Last updated
3 unique sources, 5 articles

Summary

Hide ▲

Threat actors are exploiting HTTP client tools like Axios and Microsoft's Direct Send feature to create highly efficient phishing campaigns targeting Microsoft 365 environments. These attacks, which began in July 2025, initially targeted executives and managers in finance, healthcare, and manufacturing sectors, but have since expanded to all users. The campaigns use compensation-themed lures to trick recipients into revealing credentials and bypassing multi-factor authentication (MFA). The abuse of Axios has surged, accounting for 24.44% of all flagged user agent activity from June to August 2025. The attacks leverage Axios to intercept, modify, and replay HTTP requests, capturing session tokens or MFA codes in real-time. This method allows attackers to bypass traditional security defenses and conduct phishing operations at an unprecedented scale. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA has been discovered, which steals Microsoft login credentials and sidesteps MFA by simulating various authentication methods. Salty 2FA uses advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its phishing campaigns. It also abuses legitimate platforms to stage initial attacks and uses Cloudflare Turnstile for secure CAPTCHA replacement. Salty2FA campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. The campaigns target industries including finance, healthcare, government, logistics, energy, IT consulting, education, construction, telecom, chemicals, industrial manufacturing, real estate, and consulting. The Sneaky 2FA phishing kit has incorporated Browser-in-the-Browser (BitB) functionality to mimic browser address bars and pop-up login forms. This kit uses Cloudflare Turnstile checks to prevent security tools from accessing phishing pages and employs conditional loading techniques to ensure only intended targets can access them. The phishing domains are quickly rotated to minimize detection, and the kit uses obfuscation and disables browser developer tools to resist analysis. Sneaky2FA is a widely used PhaaS platform alongside Tycoon2FA and Mamba2FA, all targeting primarily Microsoft 365 accounts. The kit uses SVG-based attacks and attacker-in-the-middle (AitM) tactics, where the authentication process is proxied to the legitimate service through a phishing page that relays valid session tokens to the attackers. Sneaky2FA has added a BitB pop-up that mimics a legitimate Microsoft login window, adjusting dynamically to the victim’s OS and browser. An attacker stealing credentials and active session tokens can authenticate to the victim’s account, even when the two-factor authentication (2FA) protection is active.

Timeline

  1. 09.09.2025 17:14 5 articles · 2mo ago

    Axios and Direct Send Abuse in Microsoft 365 Phishing Campaigns

    Salty2FA campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. The campaigns target industries including finance, healthcare, government, logistics, energy, IT consulting, education, construction, telecom, chemicals, industrial manufacturing, real estate, and consulting. Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to March–April 2025. Salty2FA uses Cloudflare checks to bypass automated filters and includes a multi-stage execution chain to intercept credentials and 2FA codes. Salty2FA can intercept push, SMS, and voice-based 2FA methods, leading to account takeover. Salty2FA campaigns have been spotted in the US, EU, and other regions, with a focus on enterprises. Salty2FA's phishing emails use lures designed to trigger urgency and bypass skepticism, such as "External Review Request: 2025 Payment Correction". The Sneaky 2FA phishing kit has incorporated Browser-in-the-Browser (BitB) functionality to mimic browser address bars and pop-up login forms. This kit uses Cloudflare Turnstile checks to prevent security tools from accessing phishing pages and employs conditional loading techniques to ensure only intended targets can access them. The phishing domains are quickly rotated to minimize detection, and the kit uses obfuscation and disables browser developer tools to resist analysis. Sneaky2FA is a widely used PhaaS platform alongside Tycoon2FA and Mamba2FA, all targeting primarily Microsoft 365 accounts. The kit uses SVG-based attacks and attacker-in-the-middle (AitM) tactics, where the authentication process is proxied to the legitimate service through a phishing page that relays valid session tokens to the attackers. Sneaky2FA has added a BitB pop-up that mimics a legitimate Microsoft login window, adjusting dynamically to the victim’s OS and browser. An attacker stealing credentials and active session tokens can authenticate to the victim’s account, even when the two-factor authentication (2FA) protection is active.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

TruffleNet Attack Campaign Targeting AWS Environments

The TruffleNet attack campaign leverages stolen credentials to target AWS environments, particularly Amazon's Simple Email Service (SES). The campaign uses the open-source scanning tool TruffleHog and exploits legitimate tools like Portainer to perform reconnaissance and execute downstream business email compromise (BEC) attacks. The campaign involved over 800 unique hosts across 57 distinct Class C networks. Attackers use legitimate AWS APIs to test stolen credentials and perform reconnaissance. The campaign also includes BEC attacks targeting the oil and gas sector, using compromised WordPress sites to establish sending identities.

Open in new tab

Atroposia malware-as-a-service platform discovered

A new malware-as-a-service (MaaS) platform named Atroposia offers cybercriminals a remote access trojan (RAT) with capabilities for persistent access, evasion, data theft, and local vulnerability scanning. The malware is available for a $200 monthly subscription and includes advanced features such as hidden remote desktop, file system control, data exfiltration, clipboard theft, credential theft, cryptocurrency wallet theft, and DNS hijacking. Atroposia was first identified by researchers at Varonis on October 15, 2025, and has been observed being promoted on underground forums. The platform includes modules for hidden remote desktop sessions, file management, data exfiltration, credential theft, clipboard monitoring, DNS hijacking, and local vulnerability scanning. The vulnerability scanner audits missing patches, unsafe settings, and vulnerable software, allowing attackers to prioritize exploits. The platform can be combined with SpamGPT and MatrixPDF to create a plug-and-play criminal toolkit. SpamGPT automates phishing campaign creation, SMTP/IMAP cracking, and deliverability tooling, while MatrixPDF weaponizes ordinary PDF files to bypass email filters. Atroposia uses encrypted command and control (C2) servers to foil traffic inspection and automatically escalates privileges via UAC bypass to gain admin rights and install multiple persistence mechanisms.

Open in new tab

Phishing campaign targets LastPass and Bitwarden users to install remote access tools

A phishing campaign is targeting LastPass and Bitwarden users with fake breach alerts. The emails urge recipients to download a supposedly more secure desktop version of the password manager, which installs Syncro, an RMM tool, and ScreenConnect remote support software. The campaign began over the Columbus Day holiday weekend, exploiting reduced staffing. LastPass has confirmed it has not been hacked and is actively working to mitigate the phishing campaign. The phishing emails are well-crafted and claim to address vulnerabilities in older .exe installations, urging users to update to a more secure MSI format. The threat actors use domains like 'lastpasspulse[.]blog' and 'bitwardenbroadcast[.]blog' to send these emails. The malware installs Syncro and ScreenConnect, allowing the threat actors to remotely access the compromised endpoints, deploy further malware, and steal data. The phishing emails use the subject line 'We Have Been Hacked - Update Your LastPass Desktop App to Maintain Vault Security' and are sent from email addresses like hello@lastpasspulse[.]blog or hello@lastpassgazette[.]blog. The phishing site is hosted at lastpassdesktop[.]com or lastpassgazette[.]blog, and another URL, lastpassdesktop[.]app, has been registered by the threat actor for potential future use.

Open in new tab

Storm-2657 Targets University HR Employees in Payroll Hijacking Campaign

A cybercrime gang, Storm-2657, has been targeting university employees in the United States since March 2025 to hijack salary payments. The attackers have successfully compromised 11 accounts at three universities, sending phishing emails to nearly 6,000 email accounts across 25 universities. The campaign, codenamed Payroll Pirates, exploits a lack of multifactor authentication (MFA) or phishing-resistant MFA to compromise Workday accounts and other third-party HR SaaS platforms. The attackers use sophisticated social engineering tactics and adversary-in-the-middle (AITM) links to steal MFA codes, enabling them to gain access to Exchange Online accounts. Once inside, they alter salary payment configurations and redirect payments to accounts under their control. The attackers also create inbox rules to delete incoming warning notification emails from Workday and enroll their own phone numbers as MFA devices for victim accounts. The compromised email accounts are used to distribute further phishing emails, both within the organization and to other universities. The attacks have been ongoing since March 2025, with Microsoft identifying affected customers and providing mitigation guidance. The campaign has been observed targeting a range of U.S.-based organizations, particularly in the higher education sector, and any software-as-a-service (SaaS) platform storing HR or payment and bank account information.

Open in new tab

FileFix Attack Evolves with Cache Smuggling Technique

A new variant of the FileFix social engineering attack uses cache smuggling to evade security software. This technique involves hiding a malicious ZIP archive within a browser's cache to bypass detection. The attack impersonates a Fortinet VPN Compliance Checker and tricks users into executing a PowerShell script through the Windows File Explorer address bar. The script extracts the malicious payload from the cache and executes it. This new variant was first observed by cybersecurity researcher P4nd3m1cb0y and detailed by Marcus Hutchins of Expel. The attack has been adopted by various threat actors, including ransomware groups. Additionally, a new ClickFix kit called the IUAM ClickFix Generator has been discovered, which automates the creation of ClickFix-style lures.

Open in new tab