// NEXUSVOID CYBER NEWS
<- ALL CYBER NEWS
Notable
Evilginx, phishing, Microsoft 365, adversary-in-the-middle, MFA bypass, session token, passkeys
An Attacker Left a Directory Listing On, and Exposed Three M365 Phishing Operations
A Microsoft 365 phishing crew running Evilginx left a Python web server exposed with directory listing enabled, handing researchers a look inside three live operations. The tools that beat multi-factor authentication are getting easier to run, and easier to fumble.
A live Microsoft 365 phishing operation was exposed after its operator left a simple Python web server listening on a public port with directory listing switched on, giving researchers a view into three separate Evilginx campaigns, as reported by The Hacker News. The command that did it, python3 -m http.server 8080, was still sitting in the shell history.
Evilginx matters because of what it defeats. It is an adversary-in-the-middle tool that proxies a real login page, capturing not just the password but the session token, which means it can slip past many forms of multi-factor authentication. That is precisely the protection most organizations rely on to stop account takeover.
The operational-security failure is the human note in the story. The same carelessness that exposes a corporate server exposes an attacker's, and here a default web server with listing enabled turned a hidden operation into an open one. It is a useful reminder that attackers make the same mundane mistakes defenders do.
The defensive takeaway is to move toward authentication that resists this class of attack. Phishing-resistant methods such as hardware security keys and passkeys do not hand over a reusable token the way a one-time code or push prompt can, and for high-value accounts they are the difference between a stolen password and a stolen account.
Sources: The Hacker News.