In a stark reminder that operational security (OPSEC) failures affect even the adversary, French security firm Lexfo discovered three distinct Evilginx social engineering operations targeting Microsoft 365. The breach occurred not through a sophisticated zero-day, but via a fundamental misconfiguration: an attacker left a Python web server listening on a public port with directory listing enabled.
The command python3 -m http.server 8080 was found sitting in a readable .bash_history file. This single lapse allowed defenders to pivot through the operator's toolkit and uncover a wider campaign. For SOC analysts and CISOs, this incident provides a dual opportunity: to understand the current TTPs of Evilginx operators and to audit our own infrastructure for the same sloppy configuration that often leads to compromise.
Technical Analysis
Threat Overview: The incident centers on Evilginx, a man-in-the-middle (MitM) attack framework used to bypass multi-factor authentication (MFA). Unlike traditional phishing, which captures credentials, AiTM (Adversary-in-the-Middle) tools like Evilginx proxy the traffic between the victim and the legitimate service (in this case, Microsoft 365). This allows the attacker to intercept the session token (cookie) issued after successful authentication, granting them access without ever needing the second factor or the password again.
The OPSEC Failure:
- Mechanism: The attacker utilized
python3 -m http.server 8080to serve files, likely the phishing kit or exfiltrated data. - Exposure: Directory listing was left on, and the shell history (
.bash_history) was readable. This is a classic "script kiddie" mistake that provided a full inventory of the operator's files. - Impact: The exposure allowed researchers to identify three distinct campaigns targeting Microsoft 365, likely including the rogue TLS certificates and JSON configuration files used by the Evilginx framework.
Exploitation Status: There is no CVE associated with this specific news item; the vulnerability is human error. However, the underlying threat (Evilginx) represents a critical, active exploitation methodology against identity providers. Evilginx remains a staple in the initial access broker (IAB) ecosystem due to its effectiveness against standard MFA implementations.
Detection & Response
Detecting AiTM attacks requires a layered approach. We must detect the infrastructure setup (if it occurs within our environment) and, more critically, detect the behavioral anomalies of the authentication traffic itself.
SIGMA Rules
The following rules detect the specific infrastructure setup errors highlighted in this report, as well as general reconnaissance behavior common in post-exploitation phases on Linux endpoints.
---
title: Potential File Transfer via Simple HTTP Server
id: 8a4b2c1d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the usage of Python's simple HTTP server module, which is often used for quick file transfers or serving phishing kits but is rare in production environments.
references:
- https://thehackernews.com/2026/07/misconfigured-server-reveals-three.html
author: Security Arsenal
date: 2026/07/15
tags:
- attack.command_and_control
- attack.t1102
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/python3'
CommandLine|contains: ' -m http.server'
condition: selection
falsepositives:
- Legitimate use by developers in isolated environments
level: medium
---
title: Suspicious Read of Shell History File
id: 9d5c3e2f-6f7a-4b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects processes reading the .bash_history file. Attackers often read this to understand administrator actions or steal credentials, while the incident above highlights the risk of leaving it readable.
author: Security Arsenal
date: 2026/07/15
tags:
- attack.credential_access
- attack.t1003
logsource:
category: file_event
product: linux
detection:
selection:
TargetFilename|endswith: '/.bash_history'
filter:
Image|endswith:
- '/bash'
- '/sh'
- '/zsh'
condition: selection and not filter
falsepositives:
- Adminstrative troubleshooting tools (e.g., history grep)
level: low
KQL (Microsoft Sentinel)
This query hunts for signs of Adversary-in-the-Middle (AiTM) activity against Microsoft 365. A primary indicator of AiTM tools like Evilginx is a mismatch between the Device ID and the User Agent, or logins originating from hosting providers (ASNs) rather than typical residential/Corporate IPs.
let HostingASNs = dynamic(["AS8075", "AS15169", "AS16276", "AS16509", "AS14618", "AS13335"]); // Add known cloud/hosting ASNs
SigninLogs
| where AppDisplayName in ("Office 365", "Microsoft Office 365 Portal")
| where ResultType == 0 // Success
| extend DeviceDetail = parse_(DeviceDetail)
| evaluate risk_score(UserPrincipalName, IPAddress, ResultType)
| mv-expand todynamic(DeviceDetail)
| where DeviceDetail.deviceId is not null
// AiTM often fakes the User Agent but may fail to consistently spoof the Device ID across sessions, or proxies from hosting ranges
| join kind=leftouter (
DeviceInfo
| distinct DeviceId, TrustLevel
) on $left.DeviceDetail.deviceId == $right.DeviceId
| where IPAddress in (HostingASNs)
or isempty(TrustLevel) // Device not recognized/trusted
| project TimeGenerated, UserPrincipalName, IPAddress, UserAgent, DeviceDetail, ConditionalAccessStatus, Location
| summarize count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 1h)
Velociraptor VQL
This artifact hunts for active Python processes listening on network interfaces, similar to the setup observed in the Lexfo report. It also checks for readable .bash_history files.
-- Hunt for Python HTTP Servers and readable history
SELECT * FROM chain(
-- Query 1: Check for python3 processes
SELECT Pid, Name, Cmdline, Exe
FROM pslist()
WHERE Name =~ 'python3'
AND Cmdline =~ 'http.server',
-- Query 2: Check network listeners for Python
SELECT Pid, Family, Address, Port
FROM listen_sockets()
WHERE Pid IN (SELECT Pid FROM pslist() WHERE Name =~ 'python'),
-- Query 3: Check permissions on .bash_history
SELECT FullPath, Mode, Size, Mtime
FROM glob(globs='/root/.bash_history', '/home/*/.bash_history')
WHERE Mode =~ '.*r.*' -- Readable by group/others is a risk
)
Remediation Script (Bash)
Use this script to audit Linux servers for the specific misconfigurations mentioned in the report. This helps prevent "supply chain" style compromises where your server is used as the pivot point.
#!/bin/bash
# Audit for Python HTTP servers and .bash_history permissions
echo "[*] Checking for active Python HTTP servers..."
# Find python3 processes running http.server
PYTHON_PIDS=$(pgrep -f 'python3 -m http.server')
if [ -n "$PYTHON_PIDS" ]; then
echo "[!] WARNING: Found Python HTTP servers running. PIDs: $PYTHON_PIDS"
ps -p $PYTHON_PIDS -o pid,cmd
else
echo "[+] No Python HTTP servers detected."
fi
echo "[*] Auditing .bash_history permissions..."
# Find world-readable history files in user homes
echo "[!] Listing history files with Group/Other read permissions:"
find /root /home -maxdepth 2 -name '.bash_history' -type f -perm /o=r -ls 2>/dev/null
echo "[*] Hardening .bash_history permissions..."
# Lock down history files to owner-read/write only (600)
find /root /home -maxdepth 2 -name '.bash_history' -type f -exec chmod 600 {} \;
echo "[+] Audit complete."
Remediation
While the news highlights an attacker's mistake, the defensive posture for organizations targeted by Evilginx requires identity hardening:
-
Implement Phishing-Resistant MFA: Attackers using Evilginx can bypass standard SMS or TOTP MFA. Transition to FIDO2/WebAuthn security keys, which are resistant to MitM attacks because the cryptographic signature is bound to the domain.
-
Enforce Conditional Access Policies:
- Number Matching: Ensure users are prompted for number matching in MFA requests (Microsoft Authenticator) to prevent accidental approvals.
- Device Compliance: Require Hybrid Azure AD joined or compliant devices for sensitive access. Evilginx sessions often originate from unknown or spoofed device IDs.
- Location/IP Restrictions: Block sign-ins from known anonymizing services or hosting provider IP ranges unless explicitly approved.
-
Disable Legacy Authentication: Ensure legacy protocols (IMAP, POP3, SMTP) which do not support MFA are disabled in Exchange Online.
-
Monitoring for Session Theft: Configure Sentinel to alert on "Impossible Travel" scenarios and multiple successful logins from distinct geographic locations within a short timeframe.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.