Phishing Goes Pro: How Axios and Salty 2FA Are Supercharging Microsoft 365 Attacks

Fast Facts

• Axios HTTP client activity in phishing attacks surged 241% in summer 2025.
• Microsoft 365’s Direct Send feature is being abused to bypass email security.
• Advanced phishing kits like Salty 2FA now simulate multiple MFA methods in real time.
• Attackers use trusted infrastructure - like Google Firebase and Cloudflare - to hide malicious activity.
• Credential theft campaigns increasingly target executives in finance, healthcare, and hospitality.

The New Face of Phishing: Industrial-Scale, Invisible, and Ruthless

Imagine a skilled thief who not only wears a perfect disguise but also forges the keys to every door in the building. That’s the new reality for Microsoft 365 users as cybercriminals weaponize developer tools and legitimate features to launch sophisticated phishing attacks that are nearly impossible to spot.

The latest wave, uncovered by security firm ReliaQuest, centers on the abuse of Axios - a popular tool among web developers - and Microsoft’s own Direct Send email feature. Axios, designed to help software communicate with websites, is now being used by attackers to mimic ordinary internet traffic, making their phishing attempts blend seamlessly into the digital background.

Axios’s popularity among programmers is its Achilles’ heel: cybercriminals can slip their malicious requests in with the crowd, like a pickpocket in a busy market. From June to August 2025, Axios was linked to nearly a quarter of all flagged suspicious user agent activity, with its use in attacks growing at triple the rate of other tools.

How the Attack Works: From Inbox to Identity Theft

The attack chain starts innocently enough. Victims receive emails that appear to come from trusted colleagues, thanks to Microsoft 365’s Direct Send, which lets authenticated users send email directly. These messages often dangle enticing compensation offers or urgent business requests, luring users to open attachments or scan QR codes.

But behind the scenes, Axios is intercepting and replaying web requests, capturing logins, session tokens, and even multi-factor authentication (MFA) codes in real time. In some cases, attackers exploit Azure’s authentication tokens, giving them the keys to sensitive company data.

The phishing pages themselves are hosted on reputable platforms like Google Firebase, making them harder for security systems to flag. Some even use Cloudflare’s verification tools to keep automated defenses at bay, while employing geofencing and IP filtering to block security researchers from analyzing the attacks.

Salty 2FA: Phishing-as-a-Service Gets Personal

The game has escalated with the arrival of Salty 2FA, a phishing kit that impersonates every major MFA method - from text messages to hardware tokens. Attackers can now simulate the entire authentication process, harvesting credentials as if they were the real user. Salty 2FA even customizes its fake login pages to match the victim’s organization, making the deception nearly flawless.

This industrialization of phishing - where attack kits are built with the same care and scale as legitimate business software - signals a chilling shift. Cybercriminals are no longer lone wolves; they’re running coordinated, professional-grade operations that exploit trusted systems and APIs, making old-school defenses obsolete.

Conclusion: Trust Is the New Vulnerability

The line between legitimate and malicious traffic has never been blurrier. As attackers hijack the very tools and trust mechanisms that businesses rely on, organizations must rethink security from the ground up. Disabling unnecessary features, training staff to spot subtle lures, and investing in adaptive defenses are more urgent than ever. In this new era, it’s not just the locks on the doors that matter - it’s knowing who’s forging the keys.

WIKICROOK

• Axios: Axios is a popular tool for sending and receiving web data, but attackers also use it to disguise phishing attempts as normal online activity.
• Direct Send: Direct Send lets users and devices email directly via Microsoft 365 servers, but attackers exploit it to send convincing phishing emails from trusted domains.
• Multi: Multi refers to using a combination of different technologies or systems - like LEO and GEO satellites - to improve reliability, coverage, and security.
• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• Session Token: A session token is a unique digital code that keeps users logged in to websites or apps. If stolen, attackers can access accounts without a password.