AI Security AI安全 5h ago Updated 1h ago 更新于 1小时前 46

Misconfigured Server Reveals Three Evilginx Phishing Operations Targeting Microsoft 365 配置错误的服务器暴露了三个针对微软365的Evilginx钓鱼操作

A misconfigured Python web server with directory listing enabled exposed an attacker’s toolkit, allowing researchers to pivot and uncover three distinct Evilginx phishing operations targeting Microsoft 365. Two primary attack vectors were identified: traditional Adversary-in-the-Middle (AiTM) proxying and a sophisticated abuse of Microsoft’s OAuth device code flow that leverages legitimate sign-in pages to bypass MFA. The OAuth device code attack effectively neutralizes standard MFA and FIDO2 pr 法国安全公司Lexfo通过一个配置错误的公开Web服务器,揭露了针对Microsoft 365的三起Evilginx钓鱼攻击活动,涉及三名不同的攻击者。 攻击者利用两种不同机制绕过MFA:一是传统的中间人代理劫持,二是滥用微软合法的OAuth设备代码流(Device Code Flow),后者能欺骗用户自行完成真实MFA验证。 攻击工具包经过高度定制,包括绕过子资源完整性检查、预填邮箱地址以及设置长达一年的会话Cookie TTL,以维持长期访问权限。 其中名为“black-queen”的攻击变体在一年多内捕获了218个企业账户,且通过自动刷新令牌保持会话活跃,显示出极高的隐蔽性和持久性。 该

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • A misconfigured Python web server with directory listing enabled exposed an attacker’s toolkit, allowing researchers to pivot and uncover three distinct Evilginx phishing operations targeting Microsoft 365.
  • Two primary attack vectors were identified: traditional Adversary-in-the-Middle (AiTM) proxying and a sophisticated abuse of Microsoft’s OAuth device code flow that leverages legitimate sign-in pages to bypass MFA.
  • The OAuth device code attack effectively neutralizes standard MFA and FIDO2 protections because the victim authenticates on genuine Microsoft infrastructure, making the origin binding check pass for the attacker’s session.
  • Attackers are utilizing customized forks of open-source tools with features like long-lived session cookies (up to one year) and auto-refresh capabilities to maintain persistent access to compromised corporate accounts.

Why It Matters

This incident highlights the critical importance of server configuration hygiene, as a simple oversight like enabling directory listing can lead to the exposure of entire criminal infrastructure and toolkits. For security practitioners, it underscores that traditional MFA is insufficient against advanced phishing techniques that exploit legitimate authentication flows, necessitating a shift toward Conditional Access policies with Continuous Access Evaluation (CAE).

Technical Details

  • Infrastructure Exposure: The initial breach occurred via a python3 -m http.server instance on port 8080 with directory listing active, revealing .bash_history, phishing configurations, and links to other operators.
  • Custom Evilginx Forks: The attackers used modified versions of the open-source Evilginx proxy. One fork (red-queen) included URL rewriting to evade detection and set session cookie TTLs to one year (31,536,000 seconds), allowing stolen sessions to persist beyond password resets.
  • OAuth Device Code Abuse: A separate campaign (black-queen) exploited the Microsoft OAuth device code flow. It presented a fake Authenticator-themed page directing users to microsoft.com/devicelogin, where the victim performed genuine MFA, allowing the attacker to poll and capture the resulting access token.
  • Persistence Mechanisms: The frameworks included auto-refresh logic for stolen tokens, with logs showing tokens refreshed up to 25 times, maintaining active sessions for months without requiring further user interaction.

Industry Insight

Organizations must implement Conditional Access policies that support Continuous Access Evaluation (CAE) to detect and revoke sessions if anomalous behavior, such as access from a new IP or device, is detected after initial authentication. Security teams should audit public-facing services rigorously to prevent information leakage that could aid threat actors in mapping their infrastructure. Additionally, reliance on MFA alone is no longer sufficient; organizations should consider user education regarding device login prompts and monitor for unusual OAuth application consent patterns.

TL;DR

  • 法国安全公司Lexfo通过一个配置错误的公开Web服务器,揭露了针对Microsoft 365的三起Evilginx钓鱼攻击活动,涉及三名不同的攻击者。
  • 攻击者利用两种不同机制绕过MFA:一是传统的中间人代理劫持,二是滥用微软合法的OAuth设备代码流(Device Code Flow),后者能欺骗用户自行完成真实MFA验证。
  • 攻击工具包经过高度定制,包括绕过子资源完整性检查、预填邮箱地址以及设置长达一年的会话Cookie TTL,以维持长期访问权限。
  • 其中名为“black-queen”的攻击变体在一年多内捕获了218个企业账户,且通过自动刷新令牌保持会话活跃,显示出极高的隐蔽性和持久性。
  • 该事件揭示了钓鱼即服务(PhaaS)生态系统的复杂性,攻击者通过克隆和修改开源框架快速迭代,且防御措施需针对不同的技术原理分别制定。

为什么值得看

这篇文章为安全从业者提供了关于当前高级钓鱼攻击演变的最新情报,特别是针对Microsoft 365环境的新型绕过技术。它强调了仅依赖传统MFA防护的局限性,并展示了攻击者如何利用合法身份验证流程进行社会工程学攻击,为制定更精准的防御策略提供了关键参考。

技术解析

  • 基础设施泄露与溯源:攻击者codemado在布达佩斯的服务器上运行Python Web服务器时开启了目录列表功能,导致其完整的钓鱼工具包、凭证日志、RMM安装程序及Telegram会话文件暴露。通过.bash_history中的命令记录,研究人员追溯到了其使用的Evilginx变种及其上游开发者。
  • Evilginx变体定制:攻击者使用了四个不同的Evilginx分支。其中red-queen分支由尼日利亚操作员开发,通过重命名HTML属性绕过SRI检查,添加URL重写引擎规避路径检测,并将捕获的Microsoft会话Cookie TTL设置为一年(31,536,000秒),使窃取的登录状态在密码重置后依然有效。
  • OAuth Device Code Flow滥用:名为black-queen的攻击变体不窃取密码,而是利用微软合法的OAuth设备代码流。攻击者生成真实的设备码,诱导用户在真实的microsoft.com/devicelogin页面输入并验证MFA。由于验证发生在微软官方基础设施上,传统的Origin绑定防御失效,Passkey/FIDO2也无法阻止攻击者获取令牌。
  • 自动化与会话维持black-queen框架具备自动刷新令牌的功能,GitHub历史中曾短暂提交过包含97个活跃Microsoft令牌的配置文件,部分令牌被自动刷新多达25次,确保持续访问权限而不触发异常警报。

行业启示

  • 强化Conditional Access策略:必须实施支持CAE(Continuous Access Evaluation)的条件访问策略,以便在检测到异常行为或令牌泄露时能够即时撤销访问权限,防止长期会话被滥用。
  • 监控OAuth设备代码流异常:安全团队应加强对OAuth设备代码流(Device Code Flow)的监控,识别非典型设备或异常频率的令牌请求,因为这种合法流程正被广泛用于绕过MFA。
  • 提升内部安全意识与配置管理:攻击者的成功很大程度上源于自身的基础设施配置失误(如开启目录列表)。企业应加强对员工和社会工程学的培训,同时安全供应商需关注开源钓鱼工具的演变,及时更新检测规则以覆盖新的变种特征。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全