Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1868+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Misconfigured Server Exposes Three Evilginx Phishing Ops Targeting M365
Misconfigured Server Exposes Three Evilginx Phishing Ops Targeting M365
NEWS

Misconfigured Server Exposes Three Evilginx Phishing Ops Targeting M365

An attacker's operational security mistake — leaving a Python HTTP server and .bash_history exposed on a public port — allowed researchers to uncover three simultaneous Evilginx phishing campaigns targeting Microsoft 365 credentials.

Dylan H.

News Desk

July 13, 2026
5 min read

In a case study of attacker operational security failure, French security firm Lexfo has uncovered three simultaneous Microsoft 365 phishing operations after an attacker accidentally left a Python HTTP server running on a public port with directory listing enabled — along with a readable .bash_history file that documented their own attack infrastructure.


How the Discovery Happened

The attacker made a critical OPSEC mistake during their campaign setup. A single command left running on their infrastructure:

python3 -m http.server 8080

This opened a public-facing HTTP server on port 8080 with directory listing enabled — meaning anyone who found the server could browse its files like a web directory. Worse still, the attacker's shell history file (.bash_history) was readable from that listing, which Lexfo researchers found and analyzed.

That .bash_history file contained the command history from the attacker's setup work — effectively a step-by-step log of how they built their phishing infrastructure. From this single misstep, Lexfo was able to map out three distinct, active phishing operations all running from the same threat actor.


What Is Evilginx?

Evilginx is an open-source adversary-in-the-middle (AiTM) phishing framework originally created for penetration testing. It acts as a reverse proxy between the victim and the legitimate login page, intercepting not just credentials but also session cookies — allowing the attacker to bypass multi-factor authentication entirely.

This is why Evilginx-based attacks are particularly dangerous: even if a victim has MFA enabled via SMS, authenticator app, or push notification, the attacker captures the post-authentication session token. Standard MFA does not protect against AiTM phishing.

Evilginx Attack Flow

1. Attacker registers phishing domain resembling a legitimate Microsoft login
   (e.g., microsoftonIine[.]com, login-microsoft[.]com)
 
2. Evilginx is configured with a "phishlet" for Microsoft 365 login pages
 
3. Victim receives phishing email with link to the fake login page
 
4. Victim enters credentials — Evilginx proxies these to the real Microsoft server
 
5. Microsoft's real MFA challenge is forwarded to the victim (appears legitimate)
 
6. Victim completes MFA — Evilginx captures the authenticated session cookie
 
7. Attacker replays the session cookie to access the victim's M365 account
   WITHOUT needing credentials or MFA code
 
8. Attacker accesses email, OneDrive, Teams, Azure resources as the victim

The Three Campaigns Uncovered

Lexfo's analysis of the exposed infrastructure revealed that the threat actor was running three parallel Evilginx phishing campaigns, each targeting Microsoft 365 users likely from different organizations or sectors. The campaigns shared backend infrastructure but used distinct phishing domains and lure themes.

While specific campaign targets were not fully disclosed to avoid tipping off the actors, the research illustrates how a single well-funded threat actor can simultaneously operate multiple phishing pipelines — spreading effort across victims to maximize success rates.


Why Microsoft 365 Is the Dominant AiTM Target

Microsoft 365 remains the most targeted platform for AiTM phishing for several reasons:

  • Ubiquity: M365 is deployed across millions of organizations globally — a single Evilginx phishlet works against all of them
  • Credential value: Compromised M365 accounts yield email access, internal files (SharePoint/OneDrive), Teams conversations, and often pivot paths to Azure cloud resources
  • MFA saturation: As MFA adoption has increased, attackers have adapted to AiTM rather than abandoning credential theft
  • Business Email Compromise (BEC): Email access enables BEC fraud, invoice manipulation, and internal spear-phishing

Defenses Against AiTM / Evilginx-Based Phishing

Standard MFA is not sufficient against AiTM attacks. Organizations should layer the following controls:

1. Phishing-Resistant MFA

Move beyond TOTP/push-notification MFA to phishing-resistant authenticators that cryptographically bind authentication to the legitimate domain:

  • FIDO2/WebAuthn hardware keys (e.g., YubiKey, Google Titan) — these will not authenticate to a phishing proxy
  • Microsoft Entra ID Certificate-Based Authentication (CBA)
  • Windows Hello for Business

2. Conditional Access Policies

In Microsoft Entra ID / Azure AD:

Condition: Sign-in risk = High or Medium
Action: Block OR require compliant device + phishing-resistant MFA

Condition: Unfamiliar sign-in properties (new location, device)
Action: Require MFA step-up and session re-evaluation

3. Token Protection (Microsoft Entra)

Enable token binding / token protection in Conditional Access, which ties session tokens to the device they were issued to — making stolen session cookies non-replayable on attacker infrastructure.

4. Anti-Phishing Domain Intelligence

  • Subscribe to threat intelligence feeds that track newly registered lookalike domains
  • Enforce DMARC, DKIM, and SPF on your own domains to limit impersonation
  • Block known Evilginx infrastructure at DNS/proxy level using commercial threat feeds

5. User Awareness

Train users to:

  • Verify the full URL bar — not just the displayed page
  • Look for certificate details matching the expected organization
  • Report unexpected MFA prompts they did not initiate (potential MFA fatigue attacks in parallel)
  • Never complete an MFA prompt if they did not personally initiate a sign-in

Lessons from the Attacker's OPSEC Failure

This incident is instructive for defenders as well as offensive security practitioners:

  • python3 -m http.server is a dangerous convenience tool on production systems — it exposes directory contents to anyone who finds the port
  • .bash_history is operational intelligence — attackers should never leave it readable; defenders can use it as a forensic treasure trove post-compromise
  • Port scanning threat infrastructure pays off — tools like Shodan, Censys, and dedicated threat intelligence platforms continuously discover exposed services that reveal attacker tooling and campaigns
  • Multiple campaigns from shared infrastructure is a common pattern — disrupting one phishing operation may yield visibility into others from the same actor

References

  • The Hacker News — Misconfigured Server Reveals Three Evilginx Phishing Operations Targeting Microsoft 365
  • Evilginx GitHub Repository
  • Microsoft — Protecting against AiTM phishing
  • CISA — Phishing Guidance: Stopping the Attack Cycle at Phase One
#Phishing#Microsoft 365#Evilginx#AiTM#Threat Intelligence#OPSEC Failure

Related Articles

Tycoon 2FA Loses Phishing Kit Crown Amid Surge in Attacks

Following law enforcement disruption of the Tycoon 2FA platform, threat actors are reusing its tools and techniques across a wave of new phishing kits,...

4 min read

U.S. Offers $10 Million for Russian Hackers Targeting WhatsApp and Signal Users

The U.S. Department of State is offering up to $10 million through its Rewards for Justice program for information identifying members of UNC5792 and...

3 min read

FBI: Russian Hackers Now Target Signal Backup Recovery Keys

The FBI and CISA warn that a Russian-linked phishing campaign targeting Signal users has evolved to steal Backup Recovery Keys, giving attackers full...

4 min read
Back to all News