A basic server configuration mistake has given defenders a rare view inside three active Microsoft 365 phishing operations. Researchers at French security company Lexfo discovered that an attacker had launched a Python web server with directory browsing enabled, exposing files that included phishing configurations, credential logs, remote-management installers, archives, and command history.
Two Different Paths Around MFA
The exposed material led researchers from one operator to two others, all using customized versions of the open-source Evilginx framework. Traditional Evilginx attacks operate as adversary-in-the-middle proxies. They relay the victim's interaction with the legitimate sign-in service while capturing credentials and session cookies.
One of the uncovered campaigns used a different approach based on Microsoft's legitimate OAuth device-code flow. Victims were directed to a real Microsoft page and persuaded to enter an attacker-generated code. The user then completed a genuine multifactor authentication challenge, unknowingly authorizing the attacker's session.
This distinction is important. Passkeys and FIDO2 security keys can block reverse-proxy phishing because authentication is bound to the legitimate domain. They do not automatically prevent device-code abuse when the victim is authenticating on Microsoft's real infrastructure.
Defensive Priorities
- Block device-code authentication through Conditional Access unless there is a documented business requirement.
- Use phishing-resistant authentication for employees with access to sensitive systems.
- Review Entra sign-in logs for unusual device-code activity, unfamiliar source addresses, and repeated token refreshes.
- Enable Continuous Access Evaluation and apply location-based access restrictions where practical.
- Hunt for unauthorized remote-monitoring tools and suspicious scheduled tasks on endpoints.
The investigation also found signs that AI coding tools helped create scripts and other supporting components. In my view, this illustrates the most immediate criminal value of generative AI: it lowers the effort needed to customize existing attack frameworks rather than inventing entirely new malware.
The broader lesson is that MFA must be treated as an identity architecture, not a checkbox. Organizations may successfully block one phishing technique while remaining exposed through another approved authentication flow. Security teams should therefore evaluate how tokens are issued, refreshed, monitored, and revoked, particularly for cloud accounts that can provide access to email, files, and internal applications.
