What’s new: Recent phishing campaigns are exploiting the Axios HTTP client and Microsoft’s Direct Send feature to enhance their effectiveness. Axios user agent activity surged by 241% from June to August 2025, making it a significant tool for attackers. These campaigns have achieved a 70% success rate by using Axios to bypass traditional security measures and automate phishing workflows, targeting users in finance, healthcare, and manufacturing sectors. Additionally, a new phishing-as-a-service offering called Salty 2FA has emerged, simulating various MFA methods to steal Microsoft login credentials.
Who’s affected
Organizations using Microsoft 365, particularly those in finance, healthcare, and manufacturing, are at risk. Employees who interact with phishing emails or are targeted by credential harvesting campaigns are also vulnerable.
What to do
- Secure and disable Microsoft Direct Send if not required.
- Implement anti-spoofing policies on email gateways.
- Train employees to recognize phishing emails and suspicious links.
- Block known malicious domains and monitor for unusual Axios activity.
