Attacks leveraging the open-source Axios HTTP client surged 241% from June to August 2025, achieving a success rate of 70% when combined with abuse of Microsoft Direct Send, ReliaQuest reported Tuesday.The Axios client can be misused by attackers to scale and automate the delivery, interception, modification and replay of HTTP requests for tasks such as real-time harvesting and reuse of phishing credentials and multi-factor authentication (MFA) tokens.Over the summer, the Axios user agent accounted for nearly a quarter (24.44%) of detected phishing activity and it was used 10 times more often than any other flagged user agent leveraged by attackers, ReliaQuest found.Axios-powered phishing attacks were also highly successful, seeing a 58% success rate overall over the three-month period, compared with a 9.3% success rate for all other attacks.This success rate rises to 70% when attackers combined the use of Axios with Microsoft Direct Send. Direct Send allows emails from an organization’s own domain to be sent directly to internal mailboxes without authentication and can be abused by attackers if an internal account is compromised or a domain successfully spoofed.In recent campaigns observed by ReliaQuest, attackers used Direct Send to deliver PDF attachments with embedded QR codes, which directed targets to phishing sites where Axios worked in the background to collect and replay credentials. These emails included references a “payment,” “bonus” or “payslip” to entice victims to scan the code and log in.Axios’ popularity among cybercriminals can be attributed not only to its efficiency and ability to handle several tasks at once, but also its stealth, as Axios is also widely used for legitimate purposes and its user agent regularly appears in benign traffic. This allows malicious Axios-based activity to easily blend in with other network traffic, making it more difficult to detect.ReliaQuest said organizations can combat phishing campaigns by blocking IP addresses associated with known campaigns (including the CIDR range 185[.]168[.]208[.]0/24 seen in recent Axios and Direct Send attacks) and blocking uncommon top-level domains commonly used for phishing structure, such as .es and .ru, when feasible.To prevent Direct Send abuse, organizations should have robust anti-spoofing policies and ensure any potential compromises are addressed by resetting credentials or disabling compromised users. Organizations may also choose to disable Direct Send if it is not needed but should first ensure this will not lead to delivery failures for certain internal systems such as printers.Additionally, the rising use of Axios for email-based phishing campaigns suggests the tool could also see increased use in other areas such as automated API exploitation. Therefore, organizations should considering hardening their API defenses with measures such as rate-limiting, anomaly detection and strict input validation, ReliaQuest concluded.
Phishing, Identity, Email security, API security
Axios-powered phishing attacks surge, with success rates up to 70%
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds