Misconfigured Server Exposes Three Microsoft 365 Phishing Operations Using Evilginx
What happened
Researchers at French cybersecurity firm Lexfo uncovered three separate Microsoft 365 phishing campaigns after one attacker accidentally exposed their infrastructure through a misconfigured Python web server.
The attacker had enabled directory listing on a public server, allowing researchers to access phishing configurations, credential logs, remote management tools, backup files, and even Telegram session data. The exposed server also contained a readable command history, which helped investigators identify the operator and trace connections to two additional phishing campaigns.
Lexfo attributed the primary operation to an Egyptian threat actor known as codemado, who has been active in hacking and VoIP forums since 2018. Investigators also linked two custom Evilginx forks to operators known as mail-argenta and saroula01. All three campaigns relied on modified versions of the open-source Evilginx adversary-in-the-middle framework, which is designed to steal authenticated Microsoft 365 sessions.
The campaigns used two different techniques to compromise accounts. One relied on traditional adversary-in-the-middle phishing to capture authenticated sessions, while the other abused Microsoft’s legitimate OAuth device code authentication flow. According to Lexfo, the latter method does not technically bypass MFA because victims complete the authentication process on Microsoft’s legitimate sign-in page.
Researchers also found evidence that the operators used AI tools to assist with portions of their development, primarily for scripts and phishing components rather than the underlying Evilginx framework.
Who is affected
The campaigns primarily targeted organizations using Microsoft 365. Lexfo found that the overwhelming majority of compromised accounts belonged to corporate users across multiple countries, with one operation running for more than a year.
Organizations that rely solely on traditional MFA remain particularly exposed to adversary-in-the-middle phishing and device code abuse if appropriate Conditional Access policies are not in place.
Why CISOs should care
The investigation highlights how readily available phishing frameworks have lowered the barrier for attackers. None of the identified operators built the underlying tools themselves, instead modifying publicly available code to launch effective campaigns.
The report also reinforces that phishing-resistant authentication alone is not enough. While passkeys and FIDO2 authentication help defend against Evilginx-style attacks, they do not prevent attackers from abusing Microsoft’s legitimate device code authentication flow. Security leaders should ensure their Microsoft 365 environments are protected against both attack paths rather than focusing on only one.
3 practical actions
Inventory Microsoft 365 environments to identify where device code authentication is required and block it everywhere else using Conditional Access.
Enable phishing-resistant authentication, including passkeys or FIDO2 security keys, to reduce the risk of adversary-in-the-middle phishing attacks.
Monitor Entra sign-in logs for suspicious refresh-token activity, unfamiliar source IP addresses, and unusual device code authentication events to detect compromised sessions early.


