A significant lapse in security led to the exposure of three phishing operations targeting Microsoft 365 users, discovered by French security firm Lexfo. The misconfigured server, left with an open directory listing, provided a detailed view of the attacker's toolkit. This discovery included phishing configurations, credential logs, and even the attacker's own Telegram session files. Among these, the largest operation had been ongoing for over a year, primarily targeting corporate mailboxes.
The operations utilized a custom fork of the open-source Evilginx proxy, enabling them to bypass multi-factor authentication (MFA) through two different techniques. One method involved proxying live logins, while the other exploited a legitimate Microsoft sign-in flow. This highlights the need for different defensive strategies for organizations using Microsoft 365.
The server, located in Budapest, was linked to an Egyptian operator known as codemado, who has been active in VoIP and hacking forums since 2018. His operation was running a Microsoft 365 adversary-in-the-middle platform, monetizing access via a bulk mailer. Two other operators were identified through the server's logs, with one from Nigeria utilizing a sophisticated URL-rewriting engine to evade detection, while the other exploited Microsoft's OAuth device code flow to capture tokens without interacting with passwords.
The phishing domains associated with these operations were offline by the time of publication, possibly indicating a rotation of infrastructure. These incidents underscore the broader issue of phishing-as-a-service ecosystems, with AI-assisted development playing a role in enhancing the capabilities of such malicious operations. Organizations are advised to implement phishing-resistant MFA solutions and employ Conditional Access policies to mitigate these threats.



