Misconfigured Server Exposes Microsoft 365 Phishing Operations

A recent security lapse has unveiled three sophisticated phishing campaigns targeting Microsoft 365 users. The discovery originated from an attacker who inadvertently left a Python web server publicly accessible with directory listing enabled. This oversight exposed a wealth of information, including phishing configurations, credential logs, remote management tools, and even the attacker’s own Telegram session files.

French security firm Lexfo identified that the attacker utilized a customized version of the open-source Evilginx proxy, cloned from public GitHub repositories. This tool facilitates adversary-in-the-middle (AiTM) attacks, allowing attackers to intercept and manipulate communications between users and legitimate services. The largest of the three campaigns had been operational for over a year, predominantly targeting corporate email accounts.

Mechanisms of the Phishing Attacks

The campaigns employed two distinct methods to bypass multi-factor authentication (MFA). One approach involved proxying live login sessions, effectively capturing authentication tokens in real-time. The other exploited legitimate Microsoft sign-in flows to achieve similar results. Each method necessitates specific defensive measures, underscoring the importance of tailored security strategies for Microsoft 365 environments.

Further investigation revealed that the attacker, identified as an Egyptian actor known as ‘codemado,’ has been active in VoIP and hacking forums since 2018. Codemado’s campaign, which commenced on April 20, 2026, continued beyond the initial discovery on April 30, with new subdomains and renewed wildcard certificates appearing weeks later. Captured data indicated successful compromises of corporate Microsoft 365 accounts in both France and North America.

Origins of the Phishing Kits

Codemado did not develop the phishing framework independently but cloned it from other GitHub repositories. Analysis of the server’s bash history revealed comparisons between different kits, indicating a selection process for the most effective tools. The server contained four Evilginx variants sourced from two other developers, both of whom were active operators themselves.

One variant, dubbed ‘red-queen,’ originated from a Nigerian operator referred to as ‘mail-argenta.’ This version included enhancements such as renaming HTML attributes to bypass Subresource Integrity checks and implementing a URL-rewriting engine to evade path-based detection. Notably, it set a one-year time-to-live (TTL) on captured Microsoft session cookies, potentially allowing intercepted logins to remain valid even after password resets.

The third variant, ‘black-queen,’ logged a higher number of captures than the other two and operated without directly capturing passwords. Its author maintained a low profile, making it challenging to attribute the campaign to a specific individual.

This incident highlights the evolving sophistication of phishing operations targeting Microsoft 365 users. The use of advanced tools like Evilginx proxies and the ability to bypass MFA underscore the need for organizations to implement comprehensive security measures. Regular audits, employee training, and the adoption of Conditional Access policies are essential steps in mitigating such threats.