Exposed: Three Evilginx Campaigns Targeting Microsoft 365

Evilginx AITM
Evilginx AITM

A threat actor behind an active Microsoft 365 Evilginx campaign accidentally exposed its own infrastructure after leaving a Python development server publicly accessible with directory listing enabled.

The mistake allowed French threat intelligence firm Lexfo to download the server’s contents, exposing the attacker’s phishing toolkit and revealing two additional Evilginx-based phishing operations. The investigation uncovered three separate campaigns using heavily customized Adversary-in-the-Middle (AiTM) frameworks—some with AI-assisted features—to steal Microsoft 365 credentials from victims worldwide.

The Ultimate Operational Security Failure

The catalyst for the massive intelligence exposure was a single, dangerously lazy command left behind in a server’s readable terminal history:

python3 -m http.server 8080

By spinning up this quick-and-dirty public web server on an active infrastructure host in Budapest, the primary operator—tracked by researchers as an Egyptian threat actor operating under the handle codemado—effectively published a digital folder of his most sensitive assets to the open internet.

When Lexfo’s Cyber Threat Intelligence (CTI) team checked inside the directory, they hit a goldmine: live phishing configurations, fresh logs of harvested credentials, Remote Monitoring and Management (RMM) deployment packages (including ScreenConnect and SimpleHelp installers), combolists, backup archives, and even the operator’s own active Telegram session files, as reported.

From this repository, investigators pulled a thread that unraveled three separate, highly targeted global phishing operations designed to systematically hollow out enterprise Microsoft 365 environments.

A Closer Look at the Three Campaigns

Campaign / OperatorPrimary MechanismCore Defense BypassTarget Base
codemado (picis[.]net)Custom Evilginx ForkStrips crossorigin and integrity HTML elements to defeat browser Subresource Integrity (SRI) checks.Enterprise M365 (via custom “MaDoO Blaster” bulk mailer).
romnor[.]caCustom Evilginx ForkRewrites internal Go URL-routing modules to completely bypass standard signature and path-based network detection.Corporate mailboxes across a dozen western countries.
black-queen (saroula01)Microsoft Device Code AbuseLeverages Microsoft’s legitimate OAuth Device Code sign-in flow. Completely sidesteps standard password capture.218 confirmed corporate accounts compromised across a year-long lifecycle.

Key Takeaways from the Lexfo Investigation

  • The Stolen Session Auto-Refresh Loop: In the git history of one of the exposed public repositories, the operator accidentally committed a live token log. Researchers analyzed the file and discovered 97 active Microsoft session tokens stolen from enterprise victims. Crucially, the custom Evilginx kits were configured to recursively invoke an `autoRefresh` command—silently renewing the stolen tokens up to 25 times over to keep the hackers permanently authenticated into corporate mailboxes without triggering password change flags.
  • The AI Digital Assistant: The investigation underscores a growing trend in the lower-to-middle tiers of the cybercrime ecosystem: the weaponization of commercial Large Language Models. Git commits within the code repositories explicitly named Claude models as co-authors. Rather than constructing custom AiTM proxies from scratch, the operators utilized the generative AI to write “glue code”—the operational Python scripts, configuration files, and custom “phishlets” required to tailor the generic kits against specific corporate defenses.
  • The Downstream Ecosystem: Evidence found on the server points to a broader structural framework. The three operators appear loosely connected to a massive phishing-as-a-service (PaaS) marketplace identified as “The Quarry,” an underground distribution platform managed by a developer known as RockyBelling, which has reportedly sold pre-packaged infrastructure to nearly 200 criminal operators.

The Real-World Risk

The most alarming aspect of the Lexfo disclosure is the sheer volume of high-value targets compromised by fundamentally low-sophistication actors. The largest campaign ran silently from June 2025 until July 2026, logging 218 successful enterprise compromises. Fully 94% of the verified victims were corporate mailboxes rather than retail consumers.

Because these frameworks utilize proxy architectures and legitimate Microsoft authentication flows to steal live session tokens rather than passwords, standard Multi-Factor Authentication (MFA) forms—like SMS codes and mobile push notifications—offered virtually zero resistance.

The barrier to entry for highly effective, infrastructure-disrupting phishing campaigns has decisively cratered to zero. When a handful of low-level operators can retrieve public code repositories, pay a few hundred dollars for a kit, use an AI model to polish the code, and cleanly compromise over 200 corporate networks, defensive paradigms must radically evolve. Organizations still relying on legacy, non-phishing-resistant MFA are essentially operating on borrowed time.

Previous Article
cybersecurity resources

15 Best Free Cybersecurity Resources to Learn in 2026

Related Posts