A Phishing Crew Forgot to Lock Its Own Front Door
A single sloppy command in a shell history file handed French researchers the full toolkit behind three live Microsoft 365 phishing operations.

Key points
- French security firm Lexfo uncovered three live Microsoft 365 phishing operations after one operator left a Python web server exposed on the public internet.
- The attackers were running Evilginx, a well-known kit that steals passwords and login session cookies to bypass multi-factor authentication.
- Directory listing was switched on, meaning anyone visiting the server could browse the criminals' files like a public folder.
- A readable .bash_history file, the log of commands typed on the server, gave researchers the operator's exact steps and led them to two more crews.
- The finding shows even attackers targeting Microsoft 365 accounts make basic setup mistakes that expose their entire operation.
Here is a story about a criminal who forgot to lock the door of the room where he kept his tools.
French cybersecurity firm Lexfo was poking around the internet when it spotted a server running a live phishing operation aimed at Microsoft 365 accounts. Phishing, for anyone new to the term, is when criminals build fake login pages to trick people into typing in real passwords.
The operator had made two mistakes. First, they left something called directory listing switched on, which turns a web server into a browsable folder anyone can walk through. Second, they had started the server with a quick one-line command, python3 -m http.server 8080, and that command was still sitting in the shell history file. That file, .bash_history, is basically a diary of every instruction typed into the machine.
From that one slip, Lexfo pulled the entire kit. Then they followed the trail to two more phishing crews running the same playbook.
How were the attackers stealing Microsoft 365 logins?
They were using a tool called Evilginx. It is a phishing kit that sits between the victim and the real Microsoft login page, acting like a middleman. When you type your password and approve the multi-factor prompt on your phone, Evilginx quietly copies the session cookie, the small file your browser uses to prove you are logged in, and hands it to the attacker.
That cookie is the prize. With it, the criminal can walk into your mailbox without needing your password or your phone again. Multi-factor authentication, often shortened to MFA, does not stop this kind of attack on its own.
As first reported by The Hacker News, Lexfo found three separate operators running versions of this setup, each with their own target lists and lure pages.
What was actually on the exposed server?
Because the folder was open to the world, researchers could see the whole workshop.
That included the Evilginx configuration files, lists of intended victims, harvested credentials, and notes the operator had made to themselves. The .bash_history file showed the exact commands used to install and run the kit, which let Lexfo fingerprint similar setups elsewhere on the internet.
In plain terms: the attacker's toolbox, notebook and address book were all sitting in a public cupboard.
Should ordinary Microsoft 365 users be worried?
Yes, but there is something practical you can do. Evilginx-style attacks usually arrive as an email asking you to sign in to view a document, a shared file, or a voicemail.
Check the web address in your browser bar before typing a password. If the domain is not login.microsoftonline.com, close the tab. If your IT team offers phishing-resistant sign-in, sometimes called passkeys or hardware security keys, turn it on. Those methods do not hand over a stealable cookie the way a password and a code do.
For the criminals in this story, the lesson is simpler: if you are going to run a phishing operation, do not leave your shell history where the good guys can read it. The rest of us can enjoy the irony.



