This threat campaign highlights a significant surge in malicious activity leveraging the Axios HTTP client library combined with the Direct Send email technique to automate phishing attacks. Axios, a popular lightweight JavaScript library for making HTTP requests, has seen a 241% increase in user-agent activity from June to August 2025, indicating its weaponization by threat actors. The attackers exploit Direct Send, a method that allows emails to be sent directly to recipients' mail servers without authentication, which is often trusted by security systems and thus less scrutinized. By combining Axios's automation capabilities with Direct Send's trusted delivery path, attackers achieve a high success rate of approximately 70% in phishing campaigns, substantially outperforming traditional phishing methods that do not use Axios. The campaign initially targeted high-profile individuals in finance, healthcare, and manufacturing sectors but has since expanded to include everyday users, increasing the attack surface. The attacks involve automated phishing, credential theft, and API exploitation at scale, leveraging Axios to evade detection by mimicking legitimate user-agent traffic and exploiting trusted email delivery mechanisms. Indicators of compromise include multiple IP addresses and suspicious domains, primarily with Spanish (.es) TLDs, suggesting infrastructure used in the campaign. The campaign is tagged with multiple MITRE ATT&CK techniques such as T1566 (Phishing), T1078 (Valid Accounts), T1190 (Exploit Public-Facing Application), and others related to credential access and lateral movement. No known CVEs or exploits in the wild are reported, but the campaign's automation and stealth characteristics make it a potent threat. Organizations are advised to enhance detection of anomalous Axios user-agent patterns and scrutinize Direct Send email traffic to mitigate this evolving threat.

For European organizations, the impact of this threat is multifaceted and potentially severe. The high success rate of phishing attacks leveraging Axios and Direct Send increases the risk of credential compromise, leading to unauthorized access to sensitive systems and data breaches. Sectors such as finance, healthcare, and manufacturing—critical to Europe's economy and infrastructure—are primary targets, potentially resulting in financial losses, disruption of services, and exposure of personal and proprietary information. The automation and scale of the campaign mean that even organizations with robust security postures may face increased phishing volumes, straining incident response capabilities. The use of trusted Direct Send mechanisms complicates detection, increasing the likelihood of successful infiltration. Additionally, API exploitation facilitated by stolen credentials can lead to further compromise of cloud services and internal applications. The expansion of targeting to everyday users raises the risk of widespread credential theft, which can be leveraged for further attacks such as business email compromise (BEC) or ransomware. Overall, this threat could degrade trust in email communications and impose significant operational and reputational risks on European entities.

To mitigate this threat effectively, European organizations should implement the following specific measures: 1) Deploy advanced email security solutions capable of analyzing user-agent strings and flagging anomalous or suspicious Axios-related activity, including heuristic and behavioral analysis to detect automation patterns. 2) Monitor and restrict Direct Send email traffic by enforcing stricter SPF, DKIM, and DMARC policies, and consider blocking or quarantining emails sent via Direct Send unless explicitly authorized. 3) Enhance logging and monitoring of API access, correlating unusual access patterns with phishing indicators to detect API exploitation early. 4) Conduct targeted user awareness training focusing on recognizing phishing attempts that may bypass traditional filters due to their use of trusted delivery methods. 5) Implement multi-factor authentication (MFA) across all critical systems to reduce the impact of credential theft. 6) Use threat intelligence feeds to block known malicious IP addresses and domains associated with this campaign, including those listed in the indicators. 7) Employ network segmentation and least privilege principles to limit lateral movement if credentials are compromised. 8) Regularly review and update incident response plans to address automated phishing and credential theft scenarios. These measures go beyond generic advice by focusing on the unique combination of Axios automation and Direct Send exploitation.