A critical security misstep has exposed not one, but three sophisticated Evilginx phishing operations targeting Microsoft 365 users worldwide. The security breach wasn't the result of cutting-edge forensics, but rather a fundamental operational error by an attacker who forgot the first rule of cybercrime: cover your tracks. This discovery highlights how even threat actors make mistakes, providing security researchers with invaluable intelligence about modern phishing tactics.

French security firm Lexfo made the discovery when they identified a Python web server left accessible on a public port with directory listing enabled. The server had been launched using the command "python3 -m http.server 8080" which remained visible in the attacker's bash history file. This seemingly small oversight created a treasure trove of information for investigators, allowing them to access the complete toolkit of the phishing operator. From this initial access, Lexfo analysts were able to pivot and identify two additional distinct phishing operations, all utilizing the Evilginx framework to target Microsoft 365 credentials.

Organizations using Microsoft 365 should be particularly concerned about these findings. Evilginx is a sophisticated phishing framework that performs man-in-the-middle attacks, allowing threat actors to capture not just usernames and passwords, but also session cookies and multi-factor authentication tokens. This means that even accounts protected by MFA could be compromised through these attacks. The exposed toolkits likely contained templates for convincing Microsoft login pages, infrastructure for hosting the attacks, and scripts for harvesting