Cybercriminals Use Go Resty and Node Fetch in 13 Million Password Spraying Attempts

Feb 05, 2025Ravie LakshmananCybersecurity / Cloud Security

Cybercriminals are increasingly leveraging legitimate HTTP client tools to facilitate account takeover (ATO) attacks on Microsoft 365 environments.

Enterprise security company Proofpoint said it observed campaigns using HTTP clients Axios and Node Fetch to send HTTP requests and receive HTTP responses from web servers with the goal of conducting ATO attacks.

“Originally sourced from public repositories like GitHub, these tools are increasingly used in attacks like Adversary-in-the-Middle (AitM) and brute force techniques, leading to numerous account takeover (ATO) incidents,” security researcher Anna Akselevich said.

The use of HTTP client tools for brute-force attacks has been a long-observed trend since at least February 2018, with successive iterations employing variants of OkHttp clients to target Microsoft 365 environments at least until early 2024.

But by March 2024, Proofpoint said it began to observe a wide range of HTTP clients gaining traction, with the attacks scaling a new high such that 78% of Microsoft 365 tenants were targeted at least once by an ATO attempt by the second half of last year.

“In May 2024, these attacks peaked, leveraging millions of hijacked residential IPs to target cloud accounts,” Akselevich said.

The volume and diversity of these attack attempts is evidenced by the emergence of HTTP clients such as Axios, Go Resty, Node Fetch, and Python Requests, with those combining precision targeting with AitM techniques achieving a higher compromise rate.

Axios, per Proofpoint, is designed for Node.js and browsers and can be paired with AitM platforms like Evilginx to enable theft of credentials and multi-factor authentication (MFA) codes.

The threat actors have also been observed setting up new mailbox rules to conceal evidence of malicious activities, stealing sensitive data, and even registering a new OAuth application with excessive permission scopes to establish persistent remote access to the compromised environment.

The Axios campaign is said to have primarily singled out high-value targets like executives, financial officers, account managers, and operational staff across transportation, construction, finance, IT, and healthcare verticals.

Over 51% of the targeted organizations have been assessed to be successfully impacted between June and November 2024, compromising 43% of targeted user accounts.

The cybersecurity company said it also detected a large-scale password spraying campaign using Node Fetch and Go Resty clients, recording no less than 13 million login attempts since June 9, 2024, averaging over 66,000 malicious attempts per day. The success rate, however, remained low, affecting only 2% of targeted entities.

More than 178,000 targeted user accounts across 3,000 organizations have been identified to date, a majority of which belong to the education sector, particularly student user accounts that are likely to be less protected and can be weaponized for other campaigns or sold to different threat actors.

“Threat actors’ tools for ATO attacks have greatly evolved, with various HTTP client tools used for exploiting APIs and making HTTP requests,” Akselevich said. “These tools offer distinct advantages, making attacks more efficient.”

“Given this trend, attackers are likely to continue switching between HTTP client tools, adapting strategies to leverage new technologies and evade detection, reflecting a broader pattern of constant evolution to enhance their effectiveness and minimize exposure.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!