🟠 High | Source: The Hacker News
A threat actor running a Microsoft 365 phishing campaign using the Evilginx adversary-in-the-middle framework accidentally exposed their entire operation by leaving a Python HTTP server with directory listing enabled on a public port. French security firm Lexfo discovered the misconfiguration, recovered the attacker’s toolkit and .bash_history, and used that intelligence to pivot to two additional active phishing operations. The incident highlights how attackers make the same operational security mistakes they exploit in their targets.
Security Architect’s Take: Review your organisation’s Microsoft 365 conditional access policies and enforce phishing-resistant MFA (FIDO2/hardware tokens) rather than TOTP or push-based methods, as Evilginx-style AiTM proxies can bypass traditional MFA entirely. Additionally, deploy Microsoft Defender for Cloud Apps or a CASB to detect anomalous token usage and session hijacking indicators post-authentication.
Original advisory: Misconfigured Server Reveals Three Evilginx Phishing Operations Targeting Microsoft 365