Summary
Key Points:
- A misconfigured Python web server exposed a phishing operation using Evilginx targeting Microsoft 365, revealing extensive attacker tools and logs.
- The attack impacted corporate mailboxes, with operators successfully bypassing MFA through two distinct methods: proxying live logins and exploiting legitimate Microsoft sign-in flows.
- Implement Conditional Access policies to block device code flows and monitor sign-in logs for unusual refresh-token grants from the Microsoft Office client ID.
Technical Details: The attackers utilized a custom fork of Evilginx to facilitate credential harvesting and bypass MFA. The exposed server was traced back to an Egyptian actor known as codemado, who has been active since 2018.
MITRE ATT&CK Techniques:
- T1566 - Phishing (Initial Access)
- T1078 - Valid Accounts (Defense Evasion)
- T1003.001 - OS Credential Dumping: LSASS Memory (Credential Access)
- T1021.001 - Remote Services: Remote Desktop Protocol (Lateral Movement)
IOCs Mentioned:
- IP Address: 185.163.204[.]7
- Domains: picis[.]net, romnor[.]ca
This summary highlights the critical aspects of the phishing operations, their impact on Microsoft 365 users, and recommended mitigations to enhance security against such attacks.
Join the discussion — sign up to comment, upvote, and save articles.