Threat Spotlight: Speed, Scale, and Stealth: How Axios Powers Automated Phishing

ReliaQuest observed a rapid surge in phishing campaigns that leverage the Axios user agent and Microsoft Direct Send to automate credential theft and evade email defenses; Axios-related activity rose 241% June–August 2025 and accounted for 24.44% of flagged user-agent activity, with Axios+Direct Send incidents showing up to a 70% credential-theft success rate. Campaigns used QR codes, short/deceptive .es domains and Firebase hosting to bypass filters, and the report provides IOCs (multiple IPs and domains) plus mitigation recommendations such as securing Direct Send, enforcing anti-spoofing (SPF/DKIM/DMARC), blocking unusual TLDs, and deploying detection/playbook responses.