HackMyIP
← Back to News
2026-07-13 The Hacker News

Misconfigured Server Exposes Three Evilginx Phishing Operations Targeting M365

PhishingThreat IntelAuthentication

A single misconfiguration handed French security firm Lexfo an intelligence windfall. During a routine internet scan in late April 2026, researchers found an attacker-controlled host at 185.163.204[.]7 in Budapest running a Python web server with directory listing enabled. The command `python3 -m http.server 8080` was still readable in `.bash_history`, exposing phishing configs, credential-harvesting logs, Remote Monitoring and Management installers, combolists, backup archives, and the operator's own Telegram session files. Behind that listing sat a live Evilginx adversary-in-the-middle proxy and a SimpleHelp remote console. The misstep was, as Lexfo put it, close to a full confession, and investigators used it to pivot from one operator to three concurrent campaigns.

The primary operator, tracked as `codemado`, is an Egyptian actor active in VoIP and hacking forums since 2018. His Microsoft 365 AiTM platform runs on picis[.]net, monetized through a custom bulk mailer he authored called MaDoO Blaster. The campaign went live on April 20, 2026, and kept operating past the April 30 disclosure, with fresh subdomains and a renewed wildcard certificate appearing weeks later. His own bot logged successful captures against two corporate M365 mailboxes, one in France and one in North America, with repeated captures from different IPs suggesting stolen session tokens were being refreshed as they aged out. Anyone running M365 today can run a quick privacy checkup to gauge exposure, while security teams hunting for similar infrastructure can confirm the host with a targeted port scan.

Codemado didn't build his framework, he cloned and compared it. The exposed server held four Evilginx variants pulled from two GitHub developers, both of whom turned out to be active operators running their own kits. The first, a Nigerian actor the report calls `mail-argenta` operating a fork called `red-queen`, had bolted significant anti-detection polish onto the public codebase. His build renames the `crossorigin` and `integrity` HTML attributes to defeat Subresource Integrity checks, ships a custom URL-rewriting engine inside `http_proxy.go` to sidestep path-based detection, pre-fills the victim's email to cut form abandonment, and stamps a one-year TTL (31,536,000 seconds) on captured Microsoft session cookies, long enough to outlast a password reset. The stolen credentials flowing through these kits make email breach checks especially important for any corporate account that has touched the affected domains.

The three campaigns defeated MFA in two mechanically distinct ways: one proxied the live Microsoft 365 sign-in in real time, while another abused a legitimate Microsoft sign-in flow. Because the bypasses differ, the remediations differ. Token theft forks demand short session lifetimes and Conditional Access policies requiring Continuous Access Evaluation (CAE) capable clients, while flow-based abuse requires tighter control over consent grants and legacy authentication paths. Both demand aggressive revocation of refresh tokens, audit-log monitoring for impossible-travel and token-refresh anomalies, and the gradual retirement of basic authentication. The longer a captured cookie stays useful, the larger the blast radius, which is exactly why these operators are engineering ever-longer cookie TTLs into their kits.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

Port Scanner →Security Headers Check →Privacy Checkup →

Related Guides

Learn the background behind this story:

How phishing attacks work →How to check if an email is safe →SPF, DKIM & DMARC explained →