A misconfigured web server exposed an active Microsoft 365 phishing operation, revealing infrastructure shared across three separate Evilginx campaigns. French security firm Lexfo discovered the exposure after finding a Python HTTP server running on a public port with directory listing enabled, leaving the attacker's complete toolkit accessible.
The operator had executed the command "python3 -m http.server 8080" without restricting access, leaving it logged in readable .bash_history files. This single operational security failure allowed researchers to download the entire phishing infrastructure, including Evilginx configuration files, credential harvesting scripts, and campaign templates.
Evilginx is a reverse proxy framework designed to intercept and steal credentials from users during authentication. Unlike traditional phishing that simply mimics login pages, Evilginx sits between the user and the legitimate Microsoft service, capturing session cookies and multi-factor authentication tokens in real time. Stolen credentials remain valid for hours or days, giving attackers immediate access to victim accounts.
By analyzing the exposed files, Lexfo identified two additional phishing operations run by the same actor or group. The researchers traced connections between campaigns through shared infrastructure, configuration patterns, and operational artifacts. This pivoting technique revealed a larger phishing ecosystem than any single operation suggested.
The toolkit contained pre-built phishing pages targeting Microsoft 365 across multiple organizations, likely sold or shared within underground forums. The campaigns employed standard obfuscation and domain spoofing techniques, registering lookalike domains and leveraging cloud hosting to evade detection.
Organizations using Microsoft 365 face persistent threat from Evilginx operations. Even with multi-factor authentication enabled, attackers capture the authentication tokens needed to bypass these protections. The exposure demonstrates that operational security failures by threat actors create investigative opportunities for defenders, yet also highlights the scale of active phishing infrastructure targeting enterprise users.
