Select a theme from the list.
Insights

From our experts

Latest
Microsoft Expands AI-Led Security Hardening and Sets 2029 Quantum-Safe GoalGlobal CMS Exploitation Wave Plants Webshells on Business WebsitesExposed Attack Server Unmasks Three Microsoft 365 Phishing OperationsMicrosoft Prepares Windows Customers for a Faster Era of AI-Driven PatchingLaser Attack Exposes an Unpatchable Weakness in Tangem Crypto Wallet CardsGlobal CMS Exploitation Wave Puts Business Websites at Immediate RiskMacOS Malware 'Poseidon Stealer' Rebranded as 'Odyssey Stealer'CISA Warns of Critical Vulnerabilities in Mitsubishi Electric ICS HardwareAhold Delhaize Data Breach Exposes 2.2 Million Customers' InformationSwitzerland Mandates 24-Hour Cyberattack Reporting for Critical SectorsFTC to Distribute $25.5 Million to Victims of Tech Support ScamsMicrosoft to Deprecate Publisher by October 2026Microsoft Expands AI-Led Security Hardening and Sets 2029 Quantum-Safe GoalGlobal CMS Exploitation Wave Plants Webshells on Business WebsitesExposed Attack Server Unmasks Three Microsoft 365 Phishing OperationsMicrosoft Prepares Windows Customers for a Faster Era of AI-Driven PatchingLaser Attack Exposes an Unpatchable Weakness in Tangem Crypto Wallet CardsGlobal CMS Exploitation Wave Puts Business Websites at Immediate RiskMacOS Malware 'Poseidon Stealer' Rebranded as 'Odyssey Stealer'CISA Warns of Critical Vulnerabilities in Mitsubishi Electric ICS HardwareAhold Delhaize Data Breach Exposes 2.2 Million Customers' InformationSwitzerland Mandates 24-Hour Cyberattack Reporting for Critical SectorsFTC to Distribute $25.5 Million to Victims of Tech Support ScamsMicrosoft to Deprecate Publisher by October 2026
Security Insight

Exposed Attack Server Unmasks Three Microsoft 365 Phishing Operations

Exposed Attack Server Unmasks Three Microsoft 365 Phishing Operations
Photo by Torsten Dettlaff on Pexels

A misconfigured web server exposed the tools, logs, repositories, and infrastructure behind three phishing operations targeting Microsoft 365 accounts. The campaigns used both Evilginx reverse-proxy attacks and Microsoft device-code abuse, demonstrating why no single authentication control can stop every form of token theft.

A basic server configuration mistake has given defenders a rare view inside three active Microsoft 365 phishing operations. Researchers at French security company Lexfo discovered that an attacker had launched a Python web server with directory browsing enabled, exposing files that included phishing configurations, credential logs, remote-management installers, archives, and command history.

Two Different Paths Around MFA

The exposed material led researchers from one operator to two others, all using customized versions of the open-source Evilginx framework. Traditional Evilginx attacks operate as adversary-in-the-middle proxies. They relay the victim's interaction with the legitimate sign-in service while capturing credentials and session cookies.

One of the uncovered campaigns used a different approach based on Microsoft's legitimate OAuth device-code flow. Victims were directed to a real Microsoft page and persuaded to enter an attacker-generated code. The user then completed a genuine multifactor authentication challenge, unknowingly authorizing the attacker's session.

This distinction is important. Passkeys and FIDO2 security keys can block reverse-proxy phishing because authentication is bound to the legitimate domain. They do not automatically prevent device-code abuse when the victim is authenticating on Microsoft's real infrastructure.

Defensive Priorities

  • Block device-code authentication through Conditional Access unless there is a documented business requirement.
  • Use phishing-resistant authentication for employees with access to sensitive systems.
  • Review Entra sign-in logs for unusual device-code activity, unfamiliar source addresses, and repeated token refreshes.
  • Enable Continuous Access Evaluation and apply location-based access restrictions where practical.
  • Hunt for unauthorized remote-monitoring tools and suspicious scheduled tasks on endpoints.

The investigation also found signs that AI coding tools helped create scripts and other supporting components. In my view, this illustrates the most immediate criminal value of generative AI: it lowers the effort needed to customize existing attack frameworks rather than inventing entirely new malware.

The broader lesson is that MFA must be treated as an identity architecture, not a checkbox. Organizations may successfully block one phishing technique while remaining exposed through another approved authentication flow. Security teams should therefore evaluate how tokens are issued, refreshed, monitored, and revoked, particularly for cloud accounts that can provide access to email, files, and internal applications.

Talk to our team →

Latest

Microsoft Expands AI-Led Security Hardening and Sets 2029 Quantum-Safe GoalJul 13, 2026Global CMS Exploitation Wave Plants Webshells on Business WebsitesJul 13, 2026Exposed Attack Server Unmasks Three Microsoft 365 Phishing OperationsJul 13, 2026Microsoft Prepares Windows Customers for a Faster Era of AI-Driven PatchingJul 13, 2026Laser Attack Exposes an Unpatchable Weakness in Tangem Crypto Wallet CardsJul 13, 2026Global CMS Exploitation Wave Puts Business Websites at Immediate RiskJul 13, 2026

Most read

1Microsoft Expands AI-Led Security Hardening and Sets 2029 Quantum-Safe Goal2Exposed Attack Server Unmasks Three Microsoft 365 Phishing Operations3Scattered Spider's Cyberattack on Marks & Spencer Exposes Retail Vulnerabilities4Global CMS Exploitation Wave Plants Webshells on Business Websites5Ahold Delhaize Data Breach Exposes 2.2 Million Customers' Information6Microsoft Prepares Windows Customers for a Faster Era of AI-Driven Patching