Axios and Microsoft Direct Send phishing campaign targeting all users
Campaign
Summary
Hide ▲
Show ▼
A phishing campaign is expanding to all users, increasing the risk of credential theft, MFA bypass, and session-token capture. The operation pairs Axios with Microsoft Direct Send to spoof trusted senders and push messages through inbox defenses. It began in July 2025 and first focused on finance, health care, and manufacturing before widening its reach.
Related Happenings
OAuth device-code phishing campaign targeting SaaS accounts
Campaign
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
OAuth device-code phishing campaign targeting SaaS accounts
CampaignAbout this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
WAVESHAPER.V2 trojanized Axios npm packages
Malware Activity
First: 03.04.2026 14:04
Last: 03.04.2026 14:04
Sources 1
About this happening:
The **WAVESHAPER.V2** implant was embedded in **trojanized Axios npm package releases**, creating downstream supply-chain risk for **npm users**. The malicious code was published...
WAVESHAPER.V2 trojanized Axios npm packages
Malware ActivityAbout this happening: The **WAVESHAPER.V2** implant was embedded in **trojanized Axios npm package releases**, creating downstream supply-chain risk for **npm users**. The malicious code was published...
Tycoon2FA phishing campaign resumes after takedown
Campaign
First: 23.03.2026 18:05
Last: 23.03.2026 18:05
Sources 1
About this happening:
**Tycoon2FA** has resumed a **broad phishing campaign** after a **major takedown**, and it is again **compromising email accounts** while **bypassing MFA**. The operation uses **a...
Tycoon2FA phishing campaign resumes after takedown
CampaignAbout this happening: **Tycoon2FA** has resumed a **broad phishing campaign** after a **major takedown**, and it is again **compromising email accounts** while **bypassing MFA**. The operation uses **a...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Europol-coordinated Tycoon2FA takedown
Law Enforcement
First: 04.03.2026 19:01
Last: 04.03.2026 19:01
Sources 1
About this happening:
**Europol** coordinated a law-enforcement operation that **seized 330 domains** tied to **Tycoon2FA**, disrupting a **phishing-as-a-service** platform used for **credential theft*...
Europol-coordinated Tycoon2FA takedown
Law EnforcementAbout this happening: **Europol** coordinated a law-enforcement operation that **seized 330 domains** tied to **Tycoon2FA**, disrupting a **phishing-as-a-service** platform used for **credential theft*...
Latest development: 23.03.2026 23:52
CrowdStrike observed Tycoon2FA return to pre-disruption activity levels within days after the March 4, 2026 Europol-led takedown, with daily campaign volumes on March 4 and March 5, 2026 falling to 25% of pre-disruption levels before rebounding to early 2026 levels. The phishing-as-a-service platform continued using largely unchanged TTPs against Microsoft 365 and Gmail accounts and remained active in malicious email campaigns, BEC, email thread hijacking, cloud account takeovers, and malicious SharePoint links.
Timeline
-
09.09.2025 17:14 2 articles · 8mo ago
Axios and Microsoft Direct Send drive phishing campaign against Microsoft 365 users
Initial DisclosureThreat actors are abusing Axios HTTP client tools with Microsoft's Direct Send feature to spoof trusted senders and deliver phishing emails to Microsoft 365 users, with the campaign beginning in July 2025 and expanding from executives and managers in finance, health care, and manufacturing to all users.
Show sources
- Axios Abuse and Salty 2FA Kits Fuel Advanced Microsoft 365 Phishing Attacks — thehackernews.com — 09.09.2025 17:14
- Axios Abuse and Salty 2FA Kits Fuel Advanced Microsoft 365 Phishing Attacks — thehackernews.com — 09.09.2025 17:14