Back to Intelligence

Misconfigured Infrastructure Exposes Evilginx Operations: Defending Against Microsoft 365 AiTM Phishing

SA
Security Arsenal Team
July 13, 2026
6 min read

In a stark reminder that operational security (OPSEC) failures affect even the adversary, French security firm Lexfo discovered three distinct Evilginx social engineering operations targeting Microsoft 365. The breach occurred not through a sophisticated zero-day, but via a fundamental misconfiguration: an attacker left a Python web server listening on a public port with directory listing enabled.

The command python3 -m http.server 8080 was found sitting in a readable .bash_history file. This single lapse allowed defenders to pivot through the operator's toolkit and uncover a wider campaign. For SOC analysts and CISOs, this incident provides a dual opportunity: to understand the current TTPs of Evilginx operators and to audit our own infrastructure for the same sloppy configuration that often leads to compromise.

Technical Analysis

Threat Overview: The incident centers on Evilginx, a man-in-the-middle (MitM) attack framework used to bypass multi-factor authentication (MFA). Unlike traditional phishing, which captures credentials, AiTM (Adversary-in-the-Middle) tools like Evilginx proxy the traffic between the victim and the legitimate service (in this case, Microsoft 365). This allows the attacker to intercept the session token (cookie) issued after successful authentication, granting them access without ever needing the second factor or the password again.

The OPSEC Failure:

  • Mechanism: The attacker utilized python3 -m http.server 8080 to serve files, likely the phishing kit or exfiltrated data.
  • Exposure: Directory listing was left on, and the shell history (.bash_history) was readable. This is a classic "script kiddie" mistake that provided a full inventory of the operator's files.
  • Impact: The exposure allowed researchers to identify three distinct campaigns targeting Microsoft 365, likely including the rogue TLS certificates and JSON configuration files used by the Evilginx framework.

Exploitation Status: There is no CVE associated with this specific news item; the vulnerability is human error. However, the underlying threat (Evilginx) represents a critical, active exploitation methodology against identity providers. Evilginx remains a staple in the initial access broker (IAB) ecosystem due to its effectiveness against standard MFA implementations.

Detection & Response

Detecting AiTM attacks requires a layered approach. We must detect the infrastructure setup (if it occurs within our environment) and, more critically, detect the behavioral anomalies of the authentication traffic itself.

SIGMA Rules

The following rules detect the specific infrastructure setup errors highlighted in this report, as well as general reconnaissance behavior common in post-exploitation phases on Linux endpoints.

YAML
---
title: Potential File Transfer via Simple HTTP Server
id: 8a4b2c1d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the usage of Python's simple HTTP server module, which is often used for quick file transfers or serving phishing kits but is rare in production environments.
references:
 - https://thehackernews.com/2026/07/misconfigured-server-reveals-three.html
author: Security Arsenal
date: 2026/07/15
tags:
 - attack.command_and_control
 - attack.t1102
logsource:
 category: process_creation
 product: linux
detection:
 selection:
   Image|endswith: '/python3'
   CommandLine|contains: ' -m http.server'
 condition: selection
falsepositives:
 - Legitimate use by developers in isolated environments
level: medium
---
title: Suspicious Read of Shell History File
id: 9d5c3e2f-6f7a-4b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects processes reading the .bash_history file. Attackers often read this to understand administrator actions or steal credentials, while the incident above highlights the risk of leaving it readable.
author: Security Arsenal
date: 2026/07/15
tags:
 - attack.credential_access
 - attack.t1003
logsource:
 category: file_event
 product: linux
detection:
 selection:
   TargetFilename|endswith: '/.bash_history'
 filter:
   Image|endswith:
     - '/bash'
     - '/sh'
     - '/zsh'
 condition: selection and not filter
falsepositives:
 - Adminstrative troubleshooting tools (e.g., history grep)
level: low

KQL (Microsoft Sentinel)

This query hunts for signs of Adversary-in-the-Middle (AiTM) activity against Microsoft 365. A primary indicator of AiTM tools like Evilginx is a mismatch between the Device ID and the User Agent, or logins originating from hosting providers (ASNs) rather than typical residential/Corporate IPs.

KQL — Microsoft Sentinel / Defender
let HostingASNs = dynamic(["AS8075", "AS15169", "AS16276", "AS16509", "AS14618", "AS13335"]); // Add known cloud/hosting ASNs
SigninLogs
| where AppDisplayName in ("Office 365", "Microsoft Office 365 Portal")
| where ResultType == 0 // Success
| extend DeviceDetail = parse_(DeviceDetail)
| evaluate risk_score(UserPrincipalName, IPAddress, ResultType)
| mv-expand todynamic(DeviceDetail)
| where DeviceDetail.deviceId is not null
// AiTM often fakes the User Agent but may fail to consistently spoof the Device ID across sessions, or proxies from hosting ranges
| join kind=leftouter (
    DeviceInfo
    | distinct DeviceId, TrustLevel
) on $left.DeviceDetail.deviceId == $right.DeviceId
| where IPAddress in (HostingASNs) 
   or isempty(TrustLevel) // Device not recognized/trusted
| project TimeGenerated, UserPrincipalName, IPAddress, UserAgent, DeviceDetail, ConditionalAccessStatus, Location
| summarize count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 1h)

Velociraptor VQL

This artifact hunts for active Python processes listening on network interfaces, similar to the setup observed in the Lexfo report. It also checks for readable .bash_history files.

VQL — Velociraptor
-- Hunt for Python HTTP Servers and readable history
SELECT * FROM chain(
  -- Query 1: Check for python3 processes
  SELECT Pid, Name, Cmdline, Exe
  FROM pslist()
  WHERE Name =~ 'python3'
    AND Cmdline =~ 'http.server',

  -- Query 2: Check network listeners for Python
  SELECT Pid, Family, Address, Port
  FROM listen_sockets()
  WHERE Pid IN (SELECT Pid FROM pslist() WHERE Name =~ 'python'),

  -- Query 3: Check permissions on .bash_history
  SELECT FullPath, Mode, Size, Mtime
  FROM glob(globs='/root/.bash_history', '/home/*/.bash_history')
  WHERE Mode =~ '.*r.*'  -- Readable by group/others is a risk
)

Remediation Script (Bash)

Use this script to audit Linux servers for the specific misconfigurations mentioned in the report. This helps prevent "supply chain" style compromises where your server is used as the pivot point.

Bash / Shell
#!/bin/bash
# Audit for Python HTTP servers and .bash_history permissions

echo "[*] Checking for active Python HTTP servers..."
# Find python3 processes running http.server
PYTHON_PIDS=$(pgrep -f 'python3 -m http.server')

if [ -n "$PYTHON_PIDS" ]; then
    echo "[!] WARNING: Found Python HTTP servers running. PIDs: $PYTHON_PIDS"
    ps -p $PYTHON_PIDS -o pid,cmd
else
    echo "[+] No Python HTTP servers detected."
fi

echo "[*] Auditing .bash_history permissions..."
# Find world-readable history files in user homes
echo "[!] Listing history files with Group/Other read permissions:"
find /root /home -maxdepth 2 -name '.bash_history' -type f -perm /o=r -ls 2>/dev/null

echo "[*] Hardening .bash_history permissions..."
# Lock down history files to owner-read/write only (600)
find /root /home -maxdepth 2 -name '.bash_history' -type f -exec chmod 600 {} \;

echo "[+] Audit complete."

Remediation

While the news highlights an attacker's mistake, the defensive posture for organizations targeted by Evilginx requires identity hardening:

  1. Implement Phishing-Resistant MFA: Attackers using Evilginx can bypass standard SMS or TOTP MFA. Transition to FIDO2/WebAuthn security keys, which are resistant to MitM attacks because the cryptographic signature is bound to the domain.

  2. Enforce Conditional Access Policies:

    • Number Matching: Ensure users are prompted for number matching in MFA requests (Microsoft Authenticator) to prevent accidental approvals.
    • Device Compliance: Require Hybrid Azure AD joined or compliant devices for sensitive access. Evilginx sessions often originate from unknown or spoofed device IDs.
    • Location/IP Restrictions: Block sign-ins from known anonymizing services or hosting provider IP ranges unless explicitly approved.
  3. Disable Legacy Authentication: Ensure legacy protocols (IMAP, POP3, SMTP) which do not support MFA are disabled in Exchange Online.

  4. Monitoring for Session Theft: Configure Sentinel to alert on "Impossible Travel" scenarios and multiple successful logins from distinct geographic locations within a short timeframe.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemevilginxmicrosoft-365adversary-in-the-middlephishingopsec

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.