Cybercriminals Use Go Resty and Node Fetch in 13 Million Password Spraying Attempts

Proofpoint observed large-scale account takeover campaigns targeting Microsoft 365 that employ common HTTP client libraries (Axios, Node Fetch, Go Resty, Python Requests) alongside Adversary-in-the-Middle and brute-force techniques; attackers used millions of hijacked residential IPs, performed mass password spraying (13 million login attempts), abused OAuth app registrations and mailbox rules, and successfully impacted numerous organizations—particularly education—resulting in substantial account compromises.