Axios Abuse and Salty 2FA Kits Fuel Advanced Microsoft 365 Phishing Attacks
What’s new: Recent phishing campaigns are leveraging the Axios HTTP client tool and Microsoft’s Direct Send feature to enhance their effectiveness. A report from ReliaQuest indicates a 241% increase in Axios user agent activity from June to August 2025, with Axios accounting for 24.44% of all flagged user agent activity. These campaigns have achieved a 70% success rate by using Axios to bypass traditional security measures and manipulate authentication workflows. Additionally, a new phishing-as-a-service offering called Salty 2FA has emerged, allowing attackers to simulate multiple MFA methods to steal Microsoft login credentials.
Who’s affected
Organizations using Microsoft 365, particularly those in finance, health care, and manufacturing sectors, are at risk. The phishing campaigns target all users, with a focus on executives and managers.
What to do
- Secure and disable Direct Send in Microsoft 365 if not required.
- Implement anti-spoofing policies on email gateways.
- Train employees to recognize phishing emails and suspicious links.
- Block access to known malicious domains.
