Axios Abuse & Salty 2FA Kits Drive Next-Gen Microsoft 365 Phishing

At a Glance

• Axios abuse surges 241% – attackers weaponize HTTP clients with Microsoft Direct Send.
• Phishing-as-a-Service (Salty 2FA) enables MFA bypass across 6 methods.
• High-value sectors targeted: Finance, Healthcare, Manufacturing, Hospitality.
• ProArch SOC observes uptick in QR-code lures and Axios anomalies in M365 logs.

What’s Behind the Latest Microsoft 365 Phishing Campaigns

In recent months, phishing attacks targeting Microsoft 365 have evolved into enterprise-grade operations, leveraging advanced tools like Axios HTTP clients and Salty 2FA phishing kits.

These campaigns are notable not only for their technical sophistication but also for their ability to bypass MFA and trusted delivery channels – once considered strong security controls.

This development underscores a crucial reality: phishing is no longer just a user-awareness issue. Threat actors are now weaponizing APIs, authentication workflows, and legitimate Microsoft features to achieve large-scale credential theft.

ProArch SOC Observations

• Our SOC observed an uptick in targeted Microsoft 365 credential phishing campaigns leveraging advanced toolkits such as Axios and Salty 2FA.
• Multiple cases involved Axios user-agent anomalies in authentication logs indicating scripted or automated sign-in attempts.
• Attackers were seen distributing compensation and payroll-themed phishing emails embedded with QR codes, redirecting victims to spoofed Microsoft login portals.
• These campaigns demonstrated attempts to bypass MFA through session hijacking and replayed authentication tokens.
• Findings align with broader global threat intelligence that highlights a sharp rise in API-driven phishing and MFA-bypass-as-a-service operations.

What’s Happening

Axios Abuse in Phishing Campaigns

• Axios, a widely used HTTP client in enterprise applications, has been repurposed by attackers to intercept, replay, and manipulate authentication traffic.
• By combining Axios with Microsoft’s Direct Send feature, attackers are sending phishing emails that appear trusted and legitimate, bypassing many secure email gateways.
• Campaigns pairing Axios with Direct Send have achieved a 70% success rate, a sharp increase over older phishing methods.
• Targets include executives and managers in finance, healthcare, and manufacturing before expanding to a wider user base.

Salty 2FA Kits – Phishing-as-a-Service

• A new Phishing-as-a-Service (PhaaS) platform, Salty 2FA, has emerged, enabling attackers to simulate MFA workflows across six methods (SMS, authenticator apps, phone calls, push notifications, backup codes, hardware tokens).
• Features include

• • Dynamic branding to mimic corporate portals.
  • Geofencing & IP filtering to block security researchers.
  • Cloudflare Turnstile to bypass automated sandbox tools.
  • Session-specific subdomains to complicate takedowns.
• These features make phishing kits more scalable, evasive, and convincing than ever before.

Why It Matters

• MFA is no longer a silver bullet: These attacks prove that even organizations with MFA enabled can be compromised.
• Trusted channels are being weaponized: Microsoft Direct Send and popular SaaS services (Firebase) are being misused to make phishing content appear legitimate.
• Business impact is rising: Attackers are targeting sectors with high-value data – finance, healthcare, manufacturing, and hospitality – increasing regulatory and reputational risks.

Recommendations

• Audit Microsoft Direct Send usage and disable it if not business critical.
• Harden email defences with anti-spoofing (SPF, DKIM, DMARC) and advanced gateway policies.
• Monitor unusual user-agent activity (e.g., Axios) in authentication logs.
• Implement adaptive MFA (risk-based conditional access) instead of static MFA policies.
• Train employees continuously to recognize evolving phishing lures like QR-code PDFs and fake OneDrive links.
• Leverage SOC capabilities to hunt for suspicious session token replays and unusual MFA bypass attempts.