EXECUTIVE SUMMARY
There has been a sharp increase in attacks using the Axios user agent, which is now widely used to automate phishing campaigns and steal credentials. Axios activity rose by 241% between June and August, making it the most abused tool among flagged user agents. Attackers combine Axios with Direct Send, a trusted email delivery feature, to bypass security filters and deliver phishing emails directly to inboxes. This method has achieved a 70% success rate in stealing credentials, far higher than other phishing attempts. The campaign first targeted executives and managers in sectors like finance, healthcare, and manufacturing but later expanded to target regular users. Axios enables attackers to automate requests, interact with APIs, and collect stolen data faster than older tools.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
There has been a sharp increase in attacks using the Axios user agent, which is now widely used to automate phishing campaigns and steal credentials. Axios activity rose by 241% between June and August, making it the most abused tool among flagged user agents. Attackers combine Axios with Direct Send, a trusted email delivery feature, to bypass security filters and deliver phishing emails directly to inboxes. This method has achieved a 70% success rate in stealing credentials, far higher than other phishing attempts. The campaign first targeted executives and managers in sectors like finance, healthcare, and manufacturing but later expanded to target regular users. Axios enables attackers to automate requests, interact with APIs, and collect stolen data faster than older tools.[emaillocker id="1283"]
Axios is popular among attackers because it allows them to send multiple requests at once, making phishing campaigns faster and harder to detect. It can capture credentials, bypass multifactor authentication, and hijack session tokens. Attackers also exploit Azure authentication workflows by abusing shared access tokens, giving them access to sensitive accounts without passwords. By using Direct Send, phishing emails appear legitimate and avoid email security checks, making the attacks more successful. Some campaigns also use QR codes in phishing emails and PDF attachments, leading victims to fake login pages hosted on short-lived domains or trusted platforms like Firebase. This disposable setup allows attackers to quickly replace their infrastructure and continue operating undetected.
Axios blends in with normal traffic because it is commonly used in legitimate applications, making detection more difficult. Axios has become a key tool for attackers, helping them automate phishing attacks and bypass security defenses with ease. Its combination with Direct Send creates a reliable way to deliver phishing emails, steal credentials, and gain unauthorized access to accounts. Attackers are expanding beyond phishing to use Axios for tasks like API abuse, data scraping, and large-scale exploitation. Since Axios traffic often looks like normal activity, traditional detection methods are less effective. This trend shows attackers are focusing on speed, automation, and stealth to increase success rates. With its rising use in phishing and credential theft, organizations face growing risks across sectors like finance, healthcare, manufacturing, and e-commerce. Stronger monitoring, better detection techniques, and protection of APIs are needed to reduce the impact of Axios-powered attacks.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Initial Access | T1566.003 | Phishing | Spearphishing Attachment |
| Initial Access | T1078 | Valid Accounts | – |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Defense Evasion | T1036.004 | Masquerading | Match Legitimate Traffic |
| Credential Access | T1556.001 | Modify Authentication Process | MFA Bypass |
| Credential Access | T1557.003 | Man-in-the-Middle | Session Hijacking |
| Credential Access | T1110.004 | Brute Force | Credential Stuffing |
| Credential Access | T1552.001 | Unsecured Credentials | Logs/Token Extraction |
| Collection | T1056.003 | Input Capture | Web Session Cookie Capture |
| Command & Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | – |
REFERENCES:
The following reports contain further technical details:
https://thehackernews.com/2025/09/axios-abuse-and-salty-2fa-kits-fuel.html
https://reliaquest.com/blog/threat-spotlight-attackers-exploit-axios-for-automated-phishing/