New phishing campaigns are blending in with trusted tools like Axios and Microsoft Direct Send to evade defenses and target millions.
Cybercriminals are abusing the popular Axios HTTP client tool in combination with Microsoft 365’s Direct Send feature to execute highly effective phishing campaigns, according to The Hacker News. Axios usage in flagged user agent activity surged 241% from June to August 2025, far outpacing other methods. These attacks are achieving a reported 70% success rate, particularly in targeting executive-level users across finance, healthcare, and manufacturing sectors.
Attackers are using Axios to craft tailored phishing workflows that intercept and replay HTTP requests, allowing them to hijack session tokens, bypass multi-factor authentication (MFA), and mimic legitimate user activity. Meanwhile, Microsoft Direct Send is being used to distribute spoofed emails that evade traditional security gateways.
Axios, a tool frequently used in enterprise development, is now being exploited by attackers to blend malicious traffic with regular system activity. It allows precise control over HTTP requests, making it effective for bypassing security controls and simulating legitimate workflows.
The Hacker News says these campaigns began in July 2025 and have changed rapidly. Targets are tricked with emails that reference compensation or HR issues, leading them to QR code-laden PDFs. Scanning the codes redirects victims to fake Microsoft login pages hosted on trusted services like Google Firebase, further lowering the chance of detection.
Researchers are also observing an emerging phishing-as-a-service (PhaaS) platform called Salty 2FA. It simulates up to six MFA methods, including authenticator apps and hardware tokens, to bypass login protections. These phishing kits incorporate evasive tactics like Cloudflare Turnstile checks, geofencing, subdomain rotation, and even developer tool blocking to hinder analysis and improve targeting accuracy.
A security outlet called the combination a “game changer,” noting its ability to bypass traditional defenses while remaining scalable. Analysts outlined how attackers can “weaponize stolen credentials in ways that are both scalable and precise.” A separate review of 2FA kits said the campaigns now mirror enterprise-level operations. “These techniques blur the line between legitimate and malicious traffic,” the review added, noting attackers dynamically customize login pages to match victims’ email domains and boost social-engineering success.
Phishing campaigns leveraging Axios and Salty 2FA are engineered to bypass traditional defenses. Attackers exploit Microsoft Direct Send, simulate MFA prompts, and disguise malicious traffic as normal enterprise workflows, making secure email gateways and signature-based tools ineffective.
Paubox recommends Inbound Email Security as the defense of choice. Generative AI evaluates tone, sender behavior, and relationship patterns to identify abnormal communication that technical exploits alone fail to reveal. The result is proactive protection that stops credential phishing and MFA bypass attempts before stolen identities can be weaponized.
Direct Send is a Microsoft 365 feature that lets users send emails without authentication. Attackers abuse it to spoof trusted identities and increase deliverability past secure email gateways.
Axios is a legitimate and widely used HTTP client in enterprise development. Its flexibility allows attackers to manipulate authentication workflows and mimic normal traffic patterns, making malicious activity harder to detect.
Salty 2FA simulates multiple types of multi-factor authentication (like app-based codes or push notifications), and it uses advanced features like geofencing and dynamic subdomains to avoid detection and customize each attack.
Victims are sent emails with PDFs containing QR codes. When scanned, these direct the user to fake login pages, often hosted on reputable platforms, to steal credentials under the guise of secure access.
They should review and secure use of Direct Send, implement strict anti-spoofing policies, monitor for unusual user agent traffic like Axios, and train employees to spot phishing lures, even those that appear technically legitimate.