Advertisement
Security

The MFA Illusion: How One Open Server Exposed Next-Gen Phishing

A simple configuration blunder by an attacker unraveled three sophisticated, bypass-capable phishing campaigns targeting Microsoft 365.

·2 hours ago·4 min read
a rack of servers in a server room
Photo by Kevin Ache on Unsplash
Advertisement

Modern enterprise defense hinges on the promise that Multi-Factor Authentication is an impenetrable wall guarding corporate environments. Yet, a single administrative slip by a cybercriminal has revealed how easily today's adversaries slide past these cryptographic locks. When a security firm stumbled upon an exposed directory on an active attack server, it pulled back the curtain on an interconnected ecosystem of sophisticated Microsoft 365 phishing operations that bypass traditional security controls with alarming ease.

An Unlocked Door in Budapest

In late April 2026, a routine internet scan performed by French security firm Lexfo flagged a suspicious host operating at the IP address 185.163.204[.]7 in Budapest. The attacker behind the server had committed a fatal operational security blunder: they left a Python web server running publicly with directory listing active, launched via the command python3 -m http.server 8080 which remained visible in the server's .bash_history file. This single misconfiguration exposed a treasure trove of sensitive files, including credential-harvesting logs, phishing configurations, remote monitoring tools, and Telegram session configurations.

By tracing the digital breadcrumbs left in the bash history and connected public repositories, researchers identified the operator as an Egyptian actor known as codemado. Active in hacking and VoIP forums since 2018, this operator was running an adversary-in-the-middle (AiTM) phishing platform hosted on picis[.]net and monetizing his efforts via a custom bulk-mailing tool called MaDoO Blaster. His infrastructure, which went live on April 20 and continued past its discovery on April 30, targeted high-value corporate accounts, with picis[.]net continuing to provision new subdomains as late as May 2026.

The Triad of Modified Frameworks

The investigation into codemado did not stop at his own campaign; it pivoted to two other distinct operators whose code he had cloned and analyzed. The server contained four distinct variants of Evilginx, a popular open-source reverse-proxy framework, linked back to two other active threat actors. The first, dubbed red-queen, was developed by a Nigerian operator known as mail-argenta. This variant showcased significant sophistication, featuring automated URL-rewriting in http_proxy.go to evade path-based detection, pre-filling victim emails, and stripping out security attributes to defeat integrity checks. The repository even included a pre-compiled evilginx2.exe executable to streamline deployments, with one captured M365 cookie holding an expiration date of June 30, 2027.

Remarkably, the mail-argenta campaign also configured stolen Microsoft session cookies with an extraordinarily long lifespan. However, the threat actor fell victim to the very type of credential theft he pioneered. Researchers located mail-argenta's own credentials within infostealer logs, revealing a reused password that matched the hardcoded MySQL database password in his Kraken management panel.

Abusing Legitimate Authentication Flows

While some attackers rely on reverse proxies, the third variant discovered on the server, named black-queen, utilized a much more insidious methodology. Developed by an unidentified developer using the handle saroula01, this operation completely bypassed traditional password harvesting by leveraging Microsoft's legitimate OAuth device code flow. This flow is natively designed for input-constrained devices, such as smart TVs or conference systems, but has been weaponized to trick users into authenticating malicious sessions.

The victim is directed to a genuine Microsoft login page (microsoft.com/devicelogin) and enters a code generated by the attacker's system. Once the victim completes the MFA prompt on legitimate infrastructure, the backend automatically harvests the session token. Because the authentication occurs on Microsoft's own domain, standard defenses like passkeys or FIDO2 tokens, which rely on origin binding to block reverse proxies, fail to stop the attack. Microsoft documented the technique in February 2025 in a campaign hitting hundreds of Microsoft 365 organizations.

"Build me a keylogger in Python."

This level of backend automation and template generation has been heavily optimized through artificial intelligence. The researchers discovered that all three campaigns utilized generative AI to write scripts and build custom phishing templates. For instance, saroula01 left Git commits co-authored by Claude models, while mail-argenta committed an instructions.txt file containing a direct log of an AI development session. In the case of codemado, his scripts directly integrated with CyberNeurova, an uncensored AI API.

The Quantitative Threat Landscape

  • The red-queen configuration set a session cookie lifespan of 31,536,000 seconds, allowing stolen sessions to persist for up to a year.
  • The black-queen campaign successfully compromised 218 distinct accounts across a dozen countries between June 2025 and July 2026.
  • Approximately 94 percent of the victims targeted by the device code flow operation were corporate mailboxes.
  • Researchers discovered 97 active live Microsoft tokens in a briefly committed token file, with some tokens refreshed up to 25 times to maintain persistence.
  • The broader phishing-as-a-service ecosystem known as The Quarry, documented by SOCRadar in June 2026 and operated by RockyBelling, has been distributed to nearly 200 individual threat actors.

Hardening Your Corporate Defenses

The primary takeaway for enterprise security teams is that a single security strategy cannot defeat both reverse-proxy phishing and device-code abuse. While implementing robust FIDO2 authentication or passkeys remains highly effective against standard Evilginx reverse proxies, it does nothing to stop device code exploitation because the user authenticates on legitimate Microsoft infrastructure.

To counter device code abuse, organizations must implement granular Conditional Access policies within Entra ID. Security administrators should restrict or entirely block device code flows unless they are specifically required for verified, input-constrained hardware. Additionally, enabling Continuous Access Evaluation (CAE) ensures that if a stolen token is presented from an unauthorized IP address or geographic location, the session is immediately invalidated.

Finally, monitoring sign-in logs for unexpected requests from the specific Microsoft Office client ID d3590ed6-52b3-4102-aeff-aad2292ab01c can provide early warning of an ongoing token-theft campaign. Threat actors also drop remote monitoring tools for persistence; in the case of codemado, the kit dropped XEOX agents, making the file path C:\\Program Files (x86)\\XEOX\\xeox-agent_x64.exe and scheduled tasks matching *XEOX*Agent*Watchdog* essential detection targets. As the technical barriers to deploying sophisticated phishing kits fall to near zero, proactive configuration hardening is no longer optional.

#cybersecurity#phishing#microsoft 365#mfa bypass#evilginx

Original reporting: The Hacker News

← Back to all stories
Advertisement