blindthoughts
breaking · By

Three Live Microsoft 365 Evilginx Phishing Ops Exposed by Attacker's Own Blunder

Three active Microsoft 365 phishing campaigns just had their infrastructure exposed — not by defenders, but by an attacker's own operational mistake.

A threat actor running Evilginx-based adversary-in-the-middle (AiTM) phishing operations left a Python HTTP server running with directory listing enabled on a public IP. The command python3 -m http.server 8080 was still sitting in a readable .bash_history file. That single lapse handed researchers a window into three simultaneous phishing operations targeting M365 users.

Why This Matters Now

Evilginx is not a script-kiddie tool. It is a mature AiTM framework that acts as a reverse proxy: it serves victims a pixel-perfect replica of the real Microsoft login page while sitting in the middle, capturing session cookies after MFA has already completed. That means standard MFA — TOTP apps, SMS codes, even Microsoft Authenticator push notifications — provides zero protection against this attack class.

Three concurrent operations suggests organized, ongoing activity at scale. If your organization runs Microsoft 365 and has not specifically hardened against AiTM attacks, you are a plausible target right now.

What To Do

Immediate actions:

  1. Pull your Entra ID sign-in logs and look for sessions where the IP at authentication differs from the IP in subsequent activity, or where session tokens appear from unexpected geographies or devices. AiTM attacks leave a tell: the auth IP is the attacker's proxy, not the victim's real address.
  1. Enable Conditional Access with device compliance or Entra ID Protection if you have not already. Policies that require a managed/compliant device bind the session to something the attacker's proxy cannot replicate.
  1. Switch to phishing-resistant MFA. FIDO2 hardware keys (YubiKey, Windows Hello for Business bound to a TPM) are the only MFA class that cryptographically defeats AiTM — the key signs a challenge tied to the actual origin domain, so the attacker's proxy can never satisfy it.
  1. Enable Continuous Access Evaluation (CAE) in Entra ID. CAE revokes sessions in near-real-time on anomaly detection, shrinking the window an attacker can exploit a stolen session cookie from hours to seconds.

Audit checklist:

The exposed infrastructure gives a rare look at the operational breadth of these campaigns. The attackers' mistake does not neutralize the threat — additional infrastructure nodes almost certainly exist beyond what this exposure revealed. Treat this as a forcing function to harden now, not a sign the campaign has been disrupted.

Sources
  1. Misconfigured Server Reveals Three Evilginx Phishing Operations Targeting Microsoft 365

Synthesized by Claude · sanity-checked before publish.

Share:𝕏inr/HN🦋@
Was this useful?