In a case study of attacker operational security failure, French security firm Lexfo has uncovered three simultaneous Microsoft 365 phishing operations after an attacker accidentally left a Python HTTP server running on a public port with directory listing enabled — along with a readable .bash_history file that documented their own attack infrastructure.
How the Discovery Happened
The attacker made a critical OPSEC mistake during their campaign setup. A single command left running on their infrastructure:
python3 -m http.server 8080This opened a public-facing HTTP server on port 8080 with directory listing enabled — meaning anyone who found the server could browse its files like a web directory. Worse still, the attacker's shell history file (.bash_history) was readable from that listing, which Lexfo researchers found and analyzed.
That .bash_history file contained the command history from the attacker's setup work — effectively a step-by-step log of how they built their phishing infrastructure. From this single misstep, Lexfo was able to map out three distinct, active phishing operations all running from the same threat actor.
What Is Evilginx?
Evilginx is an open-source adversary-in-the-middle (AiTM) phishing framework originally created for penetration testing. It acts as a reverse proxy between the victim and the legitimate login page, intercepting not just credentials but also session cookies — allowing the attacker to bypass multi-factor authentication entirely.
This is why Evilginx-based attacks are particularly dangerous: even if a victim has MFA enabled via SMS, authenticator app, or push notification, the attacker captures the post-authentication session token. Standard MFA does not protect against AiTM phishing.
Evilginx Attack Flow
1. Attacker registers phishing domain resembling a legitimate Microsoft login
(e.g., microsoftonIine[.]com, login-microsoft[.]com)
2. Evilginx is configured with a "phishlet" for Microsoft 365 login pages
3. Victim receives phishing email with link to the fake login page
4. Victim enters credentials — Evilginx proxies these to the real Microsoft server
5. Microsoft's real MFA challenge is forwarded to the victim (appears legitimate)
6. Victim completes MFA — Evilginx captures the authenticated session cookie
7. Attacker replays the session cookie to access the victim's M365 account
WITHOUT needing credentials or MFA code
8. Attacker accesses email, OneDrive, Teams, Azure resources as the victimThe Three Campaigns Uncovered
Lexfo's analysis of the exposed infrastructure revealed that the threat actor was running three parallel Evilginx phishing campaigns, each targeting Microsoft 365 users likely from different organizations or sectors. The campaigns shared backend infrastructure but used distinct phishing domains and lure themes.
While specific campaign targets were not fully disclosed to avoid tipping off the actors, the research illustrates how a single well-funded threat actor can simultaneously operate multiple phishing pipelines — spreading effort across victims to maximize success rates.
Why Microsoft 365 Is the Dominant AiTM Target
Microsoft 365 remains the most targeted platform for AiTM phishing for several reasons:
- Ubiquity: M365 is deployed across millions of organizations globally — a single Evilginx phishlet works against all of them
- Credential value: Compromised M365 accounts yield email access, internal files (SharePoint/OneDrive), Teams conversations, and often pivot paths to Azure cloud resources
- MFA saturation: As MFA adoption has increased, attackers have adapted to AiTM rather than abandoning credential theft
- Business Email Compromise (BEC): Email access enables BEC fraud, invoice manipulation, and internal spear-phishing
Defenses Against AiTM / Evilginx-Based Phishing
Standard MFA is not sufficient against AiTM attacks. Organizations should layer the following controls:
1. Phishing-Resistant MFA
Move beyond TOTP/push-notification MFA to phishing-resistant authenticators that cryptographically bind authentication to the legitimate domain:
- FIDO2/WebAuthn hardware keys (e.g., YubiKey, Google Titan) — these will not authenticate to a phishing proxy
- Microsoft Entra ID Certificate-Based Authentication (CBA)
- Windows Hello for Business
2. Conditional Access Policies
In Microsoft Entra ID / Azure AD:
Condition: Sign-in risk = High or Medium
Action: Block OR require compliant device + phishing-resistant MFA
Condition: Unfamiliar sign-in properties (new location, device)
Action: Require MFA step-up and session re-evaluation
3. Token Protection (Microsoft Entra)
Enable token binding / token protection in Conditional Access, which ties session tokens to the device they were issued to — making stolen session cookies non-replayable on attacker infrastructure.
4. Anti-Phishing Domain Intelligence
- Subscribe to threat intelligence feeds that track newly registered lookalike domains
- Enforce DMARC, DKIM, and SPF on your own domains to limit impersonation
- Block known Evilginx infrastructure at DNS/proxy level using commercial threat feeds
5. User Awareness
Train users to:
- Verify the full URL bar — not just the displayed page
- Look for certificate details matching the expected organization
- Report unexpected MFA prompts they did not initiate (potential MFA fatigue attacks in parallel)
- Never complete an MFA prompt if they did not personally initiate a sign-in
Lessons from the Attacker's OPSEC Failure
This incident is instructive for defenders as well as offensive security practitioners:
python3 -m http.serveris a dangerous convenience tool on production systems — it exposes directory contents to anyone who finds the port.bash_historyis operational intelligence — attackers should never leave it readable; defenders can use it as a forensic treasure trove post-compromise- Port scanning threat infrastructure pays off — tools like Shodan, Censys, and dedicated threat intelligence platforms continuously discover exposed services that reveal attacker tooling and campaigns
- Multiple campaigns from shared infrastructure is a common pattern — disrupting one phishing operation may yield visibility into others from the same actor