Password spraying is a growing threat using HTTP client tools to attack cloud accounts. Cybercriminals frequently turn to HTTP client tools for launching account takeover (ATO) attacks. A report has documented how these tools manage to send and receive HTTP requests, aiming to compromise Microsoft 365 systems.
Originally, tools like Axios and Node Fetch were for developers. Now, attackers exploit them. These tools are available on public platforms and have become common in ATO and brute-force attacks.
This isn’t a new phenomenon; it began in 2018. By March 2024, attackers started using a variety of HTTP clients more aggressively. By the middle of last year, 78% of Microsoft 365 tenants experienced at least one ATO attempt.
In May 2024, attacks reached their peak. Millions of hijacked residential IPs targeted cloud accounts. Tools like Go Resty and Python Requests have upgraded attack strategies. They allow attackers to mix precision targeting with sophisticated methods like Adversary-in-the-Middle (AitM), achieving higher success rates.
Attackers go beyond stealing credentials. They set up mail rules to hide their malicious activities. They steal sensitive data and register new applications with wide permissions to maintain access.
Their focus is on high-value targets in sectors like finance, IT, and healthcare. From June to November 2024, over 51% of targeted organizations suffered breaches, affecting 43% of user accounts.
A large-scale password spraying campaign used Node Fetch and Go Resty, recording 13 million attempts since June 9, 2024, averaging 66,000 attempts each day. Although the success rate was only 2%, this campaign mostly affected the education sector, targeting student accounts that are often less protected.
Preventing Password Spraying
To combat password spraying, organizations should implement multi-factor authentication (MFA), regularly update passwords with complexity requirements, and monitor login attempts for anomalies. Training employees on cybersecurity best practices, including recognizing phishing attempts, can also reduce vulnerability. Employing advanced security solutions that can detect and block suspicious patterns of login attempts is crucial.
