What Happened
French security firm Lexfo discovered that a threat actor running an active Microsoft 365 phishing operation had left a Python HTTP server running on a public virtual private server — directory listing switched on, with a readable bash history file that showed the command used to start it. The exposed directory contained phishing configurations, credential-harvesting logs, RMM installers, credential combolists, backup archives, and the operator’s own Telegram session files.
Pivoting through the exposed materials, researchers traced the operation to two additional threat actors, uncovering three simultaneous phishing campaigns in total. All three ran custom forks of Evilginx, the open-source adversary-in-the-middle (AiTM) proxy tool, cloned from public GitHub repositories and configured to intercept Microsoft 365 login flows in real time.
The recovered Telegram bot logs showed 218 compromised corporate mailboxes across a dozen countries between June 2025 and July 2026, with roughly 94 percent belonging to enterprise accounts. The three campaigns bypassed MFA in two different ways: one group proxied the live Microsoft login session — capturing the authenticated session cookie after the legitimate MFA challenge was completed — while the other abused a legitimate Microsoft OAuth flow to obtain persistent access tokens.
Why This Matters for Canadian Organizations
Microsoft 365 is the dominant enterprise productivity platform in Canada, deployed across federal and provincial government, financial services, healthcare, post-secondary education, and the private sector. The central problem this incident illustrates is not a Microsoft vulnerability — it is a structural weakness in standard MFA implementations. When an attacker proxies the login session in real time, the user completes a legitimate MFA challenge against their own authenticator, and the attacker receives the resulting session cookie. From that point, the cookie is valid, and the attacker is authenticated into the account without triggering any additional challenge.
Phishing-resistant MFA methods — hardware security keys and passkeys — are immune to this technique because the authentication is cryptographically bound to the legitimate website’s domain. App-based TOTP codes and SMS verification are not. Canadian organizations in financial services operating under OSFI B-13 guidelines are expected to assess their MFA posture as part of their technology and cyber risk management framework. For organizations subject to PIPEDA, a compromised M365 mailbox containing personal information triggers a breach of security safeguards assessment.
The secondary lesson from this incident is the value of threat intelligence derived from operational security failures. All three phishing operations were exposed because one operator left a server misconfigured. Security teams benefit from actively monitoring for exposed phishing infrastructure in threat intelligence feeds, as these often reveal campaigns targeting their industry or geography before victims are contacted.
What to Do
Evaluate your organization’s MFA posture and prioritize migration to phishing-resistant authentication methods — FIDO2 hardware keys or passkeys — for privileged users, remote access accounts, and accounts with access to sensitive data. For accounts where phishing-resistant MFA is not yet deployed, implement Conditional Access policies in Entra ID that restrict access by device compliance, network location, and sign-in risk score. Enable token protection (binding tokens to device) where available. Train users to recognize AiTM phishing pages, which are visually identical to legitimate Microsoft login flows. Review sign-in logs for anomalous token lifetimes or geographic inconsistencies that indicate session cookie theft.
Source: The Hacker News






