Misconfigured Server Exposes – Targeting Microsoft 365

Overview

A single misstep — leaving a Python web server with directory listing enabled — exposed the full toolkit of an attacker running a Microsoft 365 phishing operation. French security firm Lexfo leveraged this lapse to uncover three separate Evilginx campaigns, each using different techniques to bypass multi‑factor authentication (MFA).

The Discovery

The exposed server revealed:

  • Phishing configs and credential‑harvesting logs.
  • RMM installers and combolists.
  • Telegram session files belonging to the operator.

The operator, tracked as codemado, was linked to VoIP and hacking forums since 2018. His campaign ran on picis[.]net, monetized through a bulk mailer called MaDoO Blaster, and targeted corporate Microsoft 365 accounts in France and North America.

Three Distinct Campaigns

  1. codemado’s fork (Egyptian operator)
    • Ran a classic Evilginx adversary‑in‑the‑middle proxy.
    • Refreshed stolen tokens as they aged out.
    • Monetized access through bulk mailing tools.
  2. mail‑argenta’s fork (Nigerian operator)
    • Added URL‑rewriting engines and renamed HTML attributes to evade detection.
    • Pre‑filled victim email addresses to reduce abandonment.
    • Captured cookies with one‑year TTLs, allowing sessions to persist even after password resets.
    • A leaked password tied him back to his own infrastructure.
  3. saroula01’s fork (unknown operator)
    • Exploited Microsoft OAuth device code flow.
    • Victims entered real codes at microsoft.com/devicelogin, unknowingly authorizing attacker sessions.
    • Captured 218 accounts across 12 countries, 94% corporate mailboxes.
    • Tokens auto‑refreshed up to 25 times, keeping sessions alive indefinitely.

AI‑Assisted Development

Evidence showed AI models were used to build parts of these phishing kits:

  • Claude commits in saroula01’s repo.
  • AI coding session transcripts in mail‑argenta’s instructions.
  • CyberNeurova API credits in codemado’s scripts.

While the Evilginx core remained unchanged, AI‑generated glue code and phishlets streamlined development, lowering the barrier to entry.

Defensive Recommendations

The report stresses that different techniques require different defenses:

  • Against Evilginx proxies:
    • Deploy phishing‑resistant MFA (FIDO2, passkeys).
    • Bind sign‑ins to the real domain.
  • Against device code abuse:
    • Block device code flow unless required for specific hardware.
    • Use Conditional Access policies to restrict sign‑ins by IP/location.
    • Enable Continuous Access Evaluation (CAE) to reevaluate stolen tokens.
  • Detection tips:
    • Watch for refresh‑token grants from Office client ID d3590ed6-52b3-4102-aeff-aad2292ab01c.
    • Hunt on the Original transfer method field in Entra logs.
    • Monitor endpoints for RMM tooling like XEOX agents.

Expert in the Cloud Insight

This case illustrates how phishing‑as‑a‑service ecosystems and AI‑assisted coding have lowered the barrier to entry for attackers. With frameworks available on GitHub and minor customizations powered by AI, launching a sophisticated campaign now requires minimal skill.

For defenders, the takeaway is urgent: blocking device code flow and enforcing phishing‑resistant MFA are critical. Without both, organizations remain exposed to evolving adversary‑in‑the‑middle tactics.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.