Microsoft: Exposed Server Unmasks Evilginx Operators Stealing Microsoft 365 Sessions and OAuth Tokens

Microsoft: Exposed Server Unmasks Evilginx Operators Stealing Microsoft 365 Sessions and OAuth Tokens

Exposed Server Reveals Active MFA-Bypass Phishing Operation Linked to Egyptian Threat Actor

A misconfigured server in Budapest inadvertently exposed an active phishing campaign designed to bypass Microsoft 365 multi-factor authentication (MFA) and maintain persistent access to compromised accounts. The server, hosted at 185.163.204[.]7, was running a publicly accessible Python HTTP server with directory listing enabled, revealing operational files including phishing configurations, Telegram session artifacts, credential logs, remote management (RMM) installers, and malicious droppers.

The breach provided researchers with a detailed snapshot of the threat actor’s infrastructure, linked to an Egyptian operator tracked as codemado (also known as MaDoO and MaDosc). The actor’s online footprint dates back to at least 2018, with activity in hacking and VoIP-focused communities. Key findings include:

  • MFA-Bypass Techniques: The campaign used Evilginx-style reverse proxies under the domain picis[.]net to intercept authenticated session cookies and OAuth tokens in real time, allowing attackers to access cloud services even after victims completed MFA challenges.
  • Custom Tooling: The operator deployed MaDoO Blaster v4.7.3, a bulk mailer, alongside multiple Evilginx forks, including red-queen (linked to mail-argenta) and black-queen (associated with saroula01). Public GitHub repositories revealed phishing kits targeting Microsoft 365, Okta, GitHub, Gmail, and financial institutions, with some configurations setting cookie lifetimes to one year.
  • Anti-Bot Evasion: A Node.js gateway used browser fingerprinting to redirect scanners to benign sites (e.g., YouTube) while allowing targeted victims to reach Microsoft-themed lures (OneDrive, SharePoint, DocuSign).
  • Post-Compromise Tools: The server contained ScreenConnect, SimpleHelp, SuperOps, and XEOX RMM tools, alongside PowerShell and VBScript droppers, indicating the operator’s focus on remote access and persistence. Links to AsyncRAT activity further suggest broader malicious objectives.
  • Device Code Phishing: The black-queen framework abused Microsoft’s Device Code Flow, tricking victims into authenticating via legitimate Microsoft portals while attackers harvested tokens. This campaign reportedly compromised 218 victims across 12 countries, with automated token refresh maintaining silent access.

The infrastructure also included a Cloudflare Tunnel, Telegram-based victim alerts, and compromised SMTP account-checking mechanisms. Hardcoded credentials in phishing panels and reused passwords tied to the operator were exposed in the breach.

Indicators of Compromise (IoCs) include the phishing domain picis[.]net, hosting IP 185.163.204[.]7, and RMM servers like vinicious.picis[.]net. The findings highlight the growing sophistication of adversary-in-the-middle (AiTM) phishing, where attackers exploit session tokens to bypass MFA protections. The operation’s ties to the "The Quarry" phishing-as-a-service ecosystem suggest broader collaboration among threat actors.

Source: https://gbhackers.com/evilginx-operators-stealing-microsoft-365/

Microsoft Security cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security

"id": "MIC1783931313",
"linkid": "microsoft-security",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '218 victims',
                        'industry': ['Technology',
                                     'Financial Services',
                                     'Cloud Services'],
                        'location': '12 countries (unspecified)',
                        'type': 'Organizations and individuals'}],
 'attack_vector': 'Misconfigured server (publicly accessible Python HTTP '
                  'server with directory listing enabled)',
 'data_breach': {'data_exfiltration': 'Yes (via phishing and token '
                                      'interception)',
                 'number_of_records_exposed': '218 victims (records '
                                              'unspecified)',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (authenticated session tokens, '
                                        'PII)',
                 'type_of_data_compromised': ['Session cookies',
                                              'OAuth tokens',
                                              'Credentials',
                                              'Personally Identifiable '
                                              'Information (PII)']},
 'description': 'A misconfigured server in Budapest inadvertently exposed an '
                'active phishing campaign designed to bypass Microsoft 365 '
                'multi-factor authentication (MFA) and maintain persistent '
                'access to compromised accounts. The server hosted operational '
                'files including phishing configurations, Telegram session '
                'artifacts, credential logs, remote management (RMM) '
                'installers, and malicious droppers. The threat actor, tracked '
                'as codemado (MaDoO/MaDosc), used Evilginx-style reverse '
                'proxies to intercept session cookies and OAuth tokens, '
                'enabling access to cloud services even after MFA challenges. '
                'The campaign targeted Microsoft 365, Okta, GitHub, Gmail, and '
                'financial institutions, with tools like MaDoO Blaster, '
                'ScreenConnect, and AsyncRAT for persistence and remote '
                'access.',
 'impact': {'data_compromised': 'Authenticated session cookies, OAuth tokens, '
                                'credentials, personally identifiable '
                                'information (PII)',
            'identity_theft_risk': 'High (PII exposure, session token abuse)',
            'operational_impact': 'Persistent unauthorized access to cloud '
                                  'services, remote control of compromised '
                                  'systems',
            'systems_affected': 'Microsoft 365, Okta, GitHub, Gmail, financial '
                                'institutions, remote management tools (RMM)'},
 'initial_access_broker': {'backdoors_established': 'Remote management tools '
                                                    '(ScreenConnect, '
                                                    'SimpleHelp, SuperOps, '
                                                    'XEOX), '
                                                    'PowerShell/VBScript '
                                                    'droppers',
                           'entry_point': 'Phishing (Evilginx-style reverse '
                                          'proxies, Device Code Flow abuse)',
                           'high_value_targets': ['Microsoft 365',
                                                  'Okta',
                                                  'GitHub',
                                                  'Gmail',
                                                  'Financial institutions']},
 'investigation_status': 'Ongoing (researchers exposed infrastructure)',
 'lessons_learned': 'Growing sophistication of adversary-in-the-middle (AiTM) '
                    'phishing attacks, risks of session token abuse to bypass '
                    'MFA, importance of securing misconfigured servers and '
                    'monitoring for unauthorized access tools.',
 'motivation': 'Persistent access to compromised accounts, financial gain, '
               'remote control of systems',
 'post_incident_analysis': {'corrective_actions': ['Secure server '
                                                   'configurations and disable '
                                                   'directory listing',
                                                   'Implement session token '
                                                   'revocation policies',
                                                   'Monitor for unauthorized '
                                                   'RMM tools and phishing '
                                                   'infrastructure',
                                                   'Enhance detection of AiTM '
                                                   'phishing attacks'],
                            'root_causes': ['Misconfigured server with '
                                            'publicly accessible directory '
                                            'listing',
                                            'Use of Evilginx-style phishing '
                                            'frameworks to bypass MFA',
                                            "Abuse of Microsoft's Device Code "
                                            'Flow for token harvesting',
                                            'Lack of session token revocation '
                                            'controls']},
 'recommendations': ['Implement stricter controls on session token lifetimes '
                     'and revocation policies.',
                     'Monitor for unauthorized remote management tools (RMM) '
                     'and phishing infrastructure.',
                     'Enhance detection of Device Code Flow abuse and '
                     'Evilginx-style attacks.',
                     'Secure publicly accessible servers and disable directory '
                     'listing.',
                     'Educate users on phishing risks and MFA bypass '
                     'techniques.'],
 'references': [{'source': 'Cyber Incident Report'}],
 'threat_actor': 'codemado (MaDoO/MaDosc)',
 'title': 'Exposed Server Reveals Active MFA-Bypass Phishing Operation Linked '
          'to Egyptian Threat Actor',
 'type': 'Phishing',
 'vulnerability_exploited': 'MFA bypass via Evilginx-style reverse proxies, '
                            'Device Code Flow abuse, session token '
                            'interception'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.