{"id":2750,"date":"2025-09-10T04:53:59","date_gmt":"2025-09-10T04:53:59","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/09\/10\/axios-user-agent-helps-automate-phishing-on-unprecedented-scale\/"},"modified":"2025-09-10T04:53:59","modified_gmt":"2025-09-10T04:53:59","slug":"axios-user-agent-helps-automate-phishing-on-unprecedented-scale","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/09\/10\/axios-user-agent-helps-automate-phishing-on-unprecedented-scale\/","title":{"rendered":"Axios User Agent Helps Automate Phishing on \u201cUnprecedented Scale\u201d"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n

Security experts have warned of a huge uptick in automated phishing activity abusing the Axios user agent and Microsoft\u2019s Direct Send feature.<\/p>\n

ReliaQuest claimed in a new report today that it observed a 241% increase in phishing activity using Axios between June and August 2025. Axios accounted for nearly a quarter (24%) of all malicious user-agent activity analyzed in the period, making it 10 times more common than any other agents tracked by ReliaQuest.<\/p>\n

The threat intelligence vendor said Axios-powered attacks had a 58% success rate versus just 9% for incidents without the user agent.<\/p>\n

What started as a campaign targeting executives and managers in sectors like finance, healthcare and manufacturing has now broadened to regular internet users, it added.<\/p>\n

Read more on phishing: Tycoon Phishing Kit Utilizes New Capabilities to Hide Malicious Links<\/em><\/p>\n

Axios is a lightweight, promise-based HTTP client that enables attackers to scale their phishing campaigns with little effort, the report claimed.<\/p>\n

Although a legitimate tool, the agent\u2019s ability to intercept, modify\u00a0and replay HTTP requests with ease and blend seamlessly into workflows makes it particularly prized.<\/p>\n

\u201cIts promise-based API and middleware interceptors let attackers log, tweak, replay, and troubleshoot easily. This makes it easier to bypass multifactor authentication (MFA), hijack session tokens, and tailor attacks to each target,\u201d said ReliaQuest.<\/p>\n

\u201cIn the Axios activity we saw, QR codes and phishing domains set the trap, then Axios let attackers exploit the data they captured. In the incidents we observed, Axios played a pivotal role in interacting with APIs and bypassing MFA protections.\u201d<\/p>\n

Other user agents require threat actors to write complex custom scripts or rely on tools that are more obviously suspicious, whereas Axios combines flexibility and easy automation, and will pass most user-agent analysis and reputation-based filter checks, the report noted.<\/p>\n

Direct Send Amplifies Attacks<\/h2>\n

ReliaQuest noted that attacks that paired Axios with Microsoft\u2019s Direct Send achieved an even higher (70%) success rate in recent campaigns.<\/p>\n

That\u2019s because Direct Send is typically trusted by security tools by default.<\/p>\n

\u201cTogether, Direct Send and Axios form a highly efficient attack pipeline: Direct Send delivers phishing emails that appear legitimate, while Axios automates backend workflows like intercepting MFA tokens and authenticating stolen credentials,\u201d the report explained.<\/p>\n

\u201cThis seamless system allows attackers to operate at scale with minimal effort, blending into legitimate Axios traffic and evading detection.\u201d<\/p>\n

ReliaQuest urged\u00a0organizations to mitigate the threat of Axios abuse by:<\/p>\n