On July 13, 2026, researchers at French security firm Lexfo uncovered three live Evilginx based phishing campaigns targeting Microsoft 365 after an attacker left a Python web server exposed with directory listing enab... The key defense distinction: AiTM proxy attacks are defeated by phishing resistant MFA (FIDO2/pa...

Create a landscape editorial hero image for this Studio Global article: Search & fact-check with cited sources for What are the details of the recent Microsoft 365 phishing campaigns exposed by a misconfigured se. Article summary: On **July 13, 2026**, researchers at the French security firm **Lexfo** uncovered three live Evilginx-based phishing operations targeting Microsoft 365 after an attacker left a Python web server exposed on a public port . Topic tags: general, government, education, general web, user generated. Style: premium digital editorial illustration, source-backed research mood, clean composition, high detail, modern web publication hero. Use reference image context only for broad subject, composition, and topical grounding; do not copy the exact image. Avoid: logos, brand marks, copyrighted characters, real person likenesses, fake screenshots, UI text, readable text, wat
In July 2026, two parallel discoveries revealed a surge in sophisticated Microsoft 365 phishing attacks that bypass multi-factor authentication (MFA) using two fundamentally different methods: adversary-in-the-middle (AiTM) proxy attacks and device code authentication abuse. The first discovery came from a single attacker mistake — a misconfigured Python web server that exposed three running campaigns. The second came from researchers tracking a new commercial phishing platform called Forg365. Understanding how each attack works is the first step to deploying the right defenses, because the fix for one does not stop the other.
On July 13, 2026, researchers at the French security firm Lexfo uncovered three live Evilginx-based phishing operations targeting Microsoft 365 after an attacker left a Python web server exposed on a public port with directory listing enabled. The command python3 -m http.server 8080.bash_history. From that open directory, Lexfo retrieved the operator's entire toolkit, logs, captured victim data, and pivoted to identify two additional phishing operators running separate campaigns .
All three operations were Evilginx-based AiTM phishing campaigns that proxied Microsoft 365 login pages to steal session tokens after the user completed MFA . One of the three campaigns had logged 218 captured accounts across 12 countries, of which 94% were corporate mailboxes
. The operations used two distinct attack paths: Evilginx session token theft (via an AiTM proxy) and device code phishing — one kit sent victims to the real Microsoft device login page, where they authorized access themselves, and the attacker's backend polled for the token
.
Separately, the Forg365 phishing-as-a-service (PhaaS) platform was identified by ZeroBEC researchers (reported July 9–13, 2026) as a commercial Telegram-distributed kit that costs $400 per month (or $3,800 per year). Unlike the custom Evilginx forks found on the exposed server, Forg365 bundles multiple attack methods and tools into a single operator dashboard .
Forg365 combines three core capabilities:
The platform also includes antibot evasion (detects sandboxes and security crawlers), post-compromise mailbox access (operators can browse and exfiltrate email from within the panel), SMTP rotation, and campaign scheduling .
These two discoveries illustrate the critical distinction between AiTM proxy attacks and device code abuse. Understanding the difference is essential because the same defense does not work for both:
AiTM proxy attacks (Evilginx-style): The attacker sets up a fake login page that proxies traffic to the real Microsoft login page. The user enters their password and completes MFA on the attacker's proxy. After successful authentication, Microsoft issues a session cookie to what it believes is the legitimate user's browser — but that cookie actually lands in the attacker's proxy, not the user's browser. The attacker can then replay that cookie to access the victim's Microsoft 365 account .
Device code phishing: The attacker generates a legitimate Microsoft device code (a short code used to sign in on devices without keyboards, like smart TVs) and sends it to the victim in a phishing email. The victim visits the real Microsoft login page, enters the code, completes MFA, and authorizes the attacker's application. Nothing is "bypassed" — the victim has authorized access. The attacker's backend then polls Microsoft for the token .
The single most effective defense against AiTM proxy attacks is phishing-resistant MFA, specifically FIDO2/WebAuthn and passkeys. These bind credentials to the legitimate domain name, so when the user's browser connects to the attacker's proxy site (which has a different domain), the authentication protocol detects the domain mismatch and blocks the credential exchange automatically .
Other defenses include:
Device code phishing does not require the attacker to trick the user into entering credentials on a fake page — the user interacts with the real Microsoft login page. This means FIDO2/passkeys alone do not fully protect against this attack because the legitimate OAuth flow is being used .
The primary defense is to block the device-code OAuth grant for users who do not need it, using Microsoft Entra ID Conditional Access:
Additional defenses:
The FBI's May 2026 Public Service Announcement on the Kali365 PhaaS platform specifically recommended blocking device code flow as the primary defense . As phishing platforms like Forg365 continue to commercialize these attack techniques, the operational urgency for defenders is clear: deploy FIDO2/passkeys for all privileged accounts to stop AiTM proxy attacks, and use Conditional Access to disable the device-code grant for users who do not need it. One open directory may have exposed three campaigns — but the lessons apply to every Microsoft 365 tenant.
Studio Global AI
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
On July 13, 2026, researchers at French security firm Lexfo uncovered three live Evilginx based phishing campaigns targeting Microsoft 365 after an attacker left a Python web server exposed with directory listing enab...
On July 13, 2026, researchers at French security firm Lexfo uncovered three live Evilginx based phishing campaigns targeting Microsoft 365 after an attacker left a Python web server exposed with directory listing enab... The key defense distinction: AiTM proxy attacks are defeated by phishing resistant MFA (FIDO2/passkeys), while device code phishing is best blocked by disabling the device code OAuth grant in Microsoft Entra ID Condit...