Cyber Security

Poorly Configured Server Reveals Three Phishing Activities Targeting Microsoft 365

An attacker running a Microsoft 365 phishing operation left a Python web server listening on a public server and directory access. The command you executed: python3 -m http.server 8080he was still reading .bash_history.

Since then, the French security company Lexfo has lifted the entire set of user tools and navigated them to other phishing operators, three campaigns in total. Each used a custom fork of the open source Evilginx proxy, hosted on public GitHub.

The largest of the three has been active for more than a year, its victims being corporate mailboxes.

The three bypassed MFA in two different ways, one by creating a live login proxy, the other by abusing Microsoft’s official login. The two require different protections, which is a very important part when using Microsoft 365.

The directory on the active attack server is close to the full creed. The listing revealed phishing settings, credentials harvesting logs, RMM installers, combolists, backup archives, and user Telegram session files.

Behind it was an Evilginx adversary-in-the-middle proxy and a SimpleHelp remote console on the same host, at 185.163.204[.]7 in Budapest, cataloged in late April 2026 during a routine internet scan.

Bash history and a set of public repos pointed directly to the operator: egypt actor trace codemadoactive in VoIP and hacking platforms since 2018, now using Microsoft 365 AiTM platform in picis[.]reach and make money with a bulk mailer he wrote called MaDoO Blaster.

His campaign went live on April 20 and continued past the day the directory was received on April 30, with new subdomains and a renewed wildcard certificate appearing weeks later. His bot is installed on two accounts of M365 companies, one French, one North American.

Repeated captures of the same accounts from different IPs are consistent, the company said, with operators renewing stolen tokens as they age.

Where the kits come from

Codemado did not create the framework he is in charge of. He named it, and his bash history shows him comparing kits side by side. The server hosted four Evilginx variants released by two other GitHub developers, and both turned out to be active operators themselves.

First, the red queencomes from a Nigerian operator a report called mail-argenta, and it shows how much polish is tied to the public frame. His fork is renaming the name crossorigin again integrity HTML attributes to override Subresource Integrity checks and add a URL rewriting engine to it http_proxy.go to escape method-based detection. It pre-populates the victim’s email address to terminate rejection.

It also sets a TTL of one year, 31,536,000 seconds, for Microsoft time cookies. The report says blocked logins can bypass password resets and, without CAE’s conditional access policy, remain viable for months.

It is pre-assembled evilginx2.exe committed to the repo, so the buyer doesn’t have to build anything. One M365 cookie sitting in the repo has an expiration date of June 30, 2027.

mail-argenta He was caught in the way of his victims. The company found his email and password in infostealer logs, the type of verified data collected by his phishing panels that are there to generate. That leaked password was matched to a hardcoded MySQL password in his Kraken panel and reused in all his accounts.

Silently

The third fork, the dark queenit includes a lot more images than the other two, and it never touches the password. Its author, the researchers could not identify without a handle saroula01build it around Microsoft’s OAuth device code flow, a formal login method intended for devices with limited input.

The attack generates a genuine device code, wraps it in an Authenticator-themed decoy page, and tells the target to enter it for authentication. microsoft.com/devicelogin. The victim goes to the official Microsoft page and cleans MFA for himself. The saroula01 backend polls the last token location and takes the token where they do.

Calling this “MFA bypass” misses the way it works: nothing is bypassed. The decoy page has an Authenticator theme and is created by the attacker, but the device code and the Microsoft page where the victim ends up are authentic, so the MFA notification to the victim is authentic.

A passkey or FIDO2 key is also useless, because the victim erases it from the real Microsoft infrastructure while authenticating the attacker’s session; the origin of the binding that stops Evilginx passes cleanly when the origin is Microsoft.

Microsoft documented the process in February 2025, in a campaign it assessed with moderate confidence as it aligned with Russia. Since then, the use of the past based on government has spread, in campaigns that hit hundreds of Microsoft 365 organizations.

The saroula01 version ran quietly for over a year. The company counted 218 different recorded accounts in the campaign’s Telegram bot log in a dozen countries between June 2025 and July 2026, about 94 percent of which are corporate mailboxes. That’s a logged capture, not a target.

A token file briefly committed to the repo was then removed, still readable in git history, containing 97 live Microsoft tokens committed to three of those targets, each set to autoRefresh and some are refreshed as many as 25 times. The framework kept the sessions alive on its own.

Both sites are phishing sites, pics[.]net and romnor[.]ca, were offline when Hacker News checked before publication, or the timeline of the report shows the pics[.]net are still providing new subdomains as late as May 2026. The Lexfo CTI team told THN that the domains are already offline before they take any action, and learn that as operators move around infrastructure or fall back in place of consolidated downgrades, although they cannot confirm which.

All three connect, loosely, to something bigger. In June 2026, Socradar recorded a phishing-as-a-service ecosystem that it named Quarrydriven by an expensive engineer Rocky Belling and, by its count, has been sold to nearly 200 operators.

MaDoO Blaster appears to be promoted within The Quarry’s Telegram channel as a third-party tool, independently flagged in both written, independent reports as a provider relationship, not membership in it. Whether mail-argenta or saroula01 has any direct tie cannot be shown from the artifacts. Their kits are sitting on public GitHub, and anyone could take them.

Built with help

The report found signs of AI-assisted growth in all three jobs, although they differed in strength. saroula01 left two gits that co-wrote Claude’s models. mail-argenta makes a instructions.txt that’s keeping the AI ​​coding session verbatim, references to previous information and all, documenting how the URL rewriting feature was built.

Codemado’s is young: one of his literary credits CyberNeurovaan “untested” paid code generation API, says the report, which quickly advertises itself as “I built a keylogger in Python.” Two of the three put the model directly into code; the third is the credit line, and none of them show how much each model was made.

It is not limited to these three. Microsoft has separately recorded phishing attacks built on AI-driven backend automation and generative-AI lures.

Hacker News asked the report’s authors how much AI tools were generated across the three operations. The Lexfo CTI team said that the Evilginx forks carry only minor changes to the core, and that the clear signs of the use of AI reside in the surrounding glue code, scripts and phishlets, several of which read like direct model outputs. It was less about the framework itself, the team said, than the code built around it.

What defenders can actually do

These two methods are not mutually exclusive. MFA, FIDO2, or passkeys that don’t block the Evilginx side by combining logins to the real domain. It does not prevent misuse of device code. For that, the lever is Conditional Access.

Microsoft’s own line is to block the flow of device code wherever possible. A few setups require really, really slow hardware to install like Team Room devices and other command line tools. An inventory that uses login logs, blocks all flows elsewhere, and checks the policy in report-only mode before enforcing.

Local IP-based policies with Conditional Access and Continuous Access checks on top, so that in supported Microsoft 365 services, a stolen token detected outside of your allowed scope will be re-checked instead of ending its lifetime.

For detection, the report flags the refresh token grants from the Microsoft Office client ID d3590ed6-52b3-4102-aeff-aad2292ab01c to Entra login logs as appropriate for viewing, when that desktop client is not working normally; check it against unfamiliar source IPs.

The same Microsoft guidance flags a catch: a session started with a device code flow is always marked as refreshing later even if the current event is no longer showing, so look for a login Original transfer method field, not just a live validation protocol.

In the last places, look for RMM tools these operators are not reduced to persistence; The codemado kit reaches XEOX, so start with the agent at C:Program Files (x86)XEOXxeox-agent_x64.exe and related planned activities *XEOX*Agent*Watchdog*. Domains and IPs are in the report, but that infrastructure is rotating, so treat it as containment, not configuration.

Hacker News also asked Microsoft about its device’s code-flow abuse, and did not receive a response at press time. This story will be updated with any feedback.

None of this took much: three operators, none of whom built the structures they ran, set up campaigns working in public storage facilities, kits sold for a few hundred dollars, and a model that came with custom parts.

The report reads that the operational barrier has dropped to zero, and the Lexfo CTI team expects this phase of attacks to become more common in the coming months.

One cheap ecosystem now offers two ways around MFA, and that’s the part that surpasses any one campaign here: a strong store against reverse phishing is still open to misuse of device code. Blocking that second method is a single conditional access policy, no extra passkey is issued, and it only exists if someone writes it.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button