Misconfigured Server Reveals Three Evilginx Phishing Operations Targeting Microsoft 365
A misconfigured Python web server with directory listing enabled exposed an attacker’s toolkit, allowing researchers to pivot and uncover three distinct Evilginx phishing operations targeting Microsoft 365. Two primary attack vectors were identified: traditional Adversary-in-the-Middle (AiTM) proxying and a sophisticated abuse of Microsoft’s OAuth device code flow that leverages legitimate sign-in pages to bypass MFA. The OAuth device code attack effectively neutralizes standard MFA and FIDO2 pr
Analysis
TL;DR
- A misconfigured Python web server with directory listing enabled exposed an attacker’s toolkit, allowing researchers to pivot and uncover three distinct Evilginx phishing operations targeting Microsoft 365.
- Two primary attack vectors were identified: traditional Adversary-in-the-Middle (AiTM) proxying and a sophisticated abuse of Microsoft’s OAuth device code flow that leverages legitimate sign-in pages to bypass MFA.
- The OAuth device code attack effectively neutralizes standard MFA and FIDO2 protections because the victim authenticates on genuine Microsoft infrastructure, making the origin binding check pass for the attacker’s session.
- Attackers are utilizing customized forks of open-source tools with features like long-lived session cookies (up to one year) and auto-refresh capabilities to maintain persistent access to compromised corporate accounts.
Why It Matters
This incident highlights the critical importance of server configuration hygiene, as a simple oversight like enabling directory listing can lead to the exposure of entire criminal infrastructure and toolkits. For security practitioners, it underscores that traditional MFA is insufficient against advanced phishing techniques that exploit legitimate authentication flows, necessitating a shift toward Conditional Access policies with Continuous Access Evaluation (CAE).
Technical Details
- Infrastructure Exposure: The initial breach occurred via a
python3 -m http.serverinstance on port 8080 with directory listing active, revealing.bash_history, phishing configurations, and links to other operators. - Custom Evilginx Forks: The attackers used modified versions of the open-source Evilginx proxy. One fork (
red-queen) included URL rewriting to evade detection and set session cookie TTLs to one year (31,536,000 seconds), allowing stolen sessions to persist beyond password resets. - OAuth Device Code Abuse: A separate campaign (
black-queen) exploited the Microsoft OAuth device code flow. It presented a fake Authenticator-themed page directing users tomicrosoft.com/devicelogin, where the victim performed genuine MFA, allowing the attacker to poll and capture the resulting access token. - Persistence Mechanisms: The frameworks included auto-refresh logic for stolen tokens, with logs showing tokens refreshed up to 25 times, maintaining active sessions for months without requiring further user interaction.
Industry Insight
Organizations must implement Conditional Access policies that support Continuous Access Evaluation (CAE) to detect and revoke sessions if anomalous behavior, such as access from a new IP or device, is detected after initial authentication. Security teams should audit public-facing services rigorously to prevent information leakage that could aid threat actors in mapping their infrastructure. Additionally, reliance on MFA alone is no longer sufficient; organizations should consider user education regarding device login prompts and monitor for unusual OAuth application consent patterns.
Disclaimer: The above content is generated by AI and is for reference only.