Executive Summary
A misconfigured public server exposed the operational infrastructure of three distinct Evilginx phishing campaigns targeting Microsoft 365 users. The campaigns, active since at least early 2026, leveraged adversary-in-the-middle (AiTM) techniques to bypass multi-factor authentication (MFA) and compromise corporate mailboxes globally. The exposed server, discovered by researchers at Lexfo, revealed the attackers’ full toolkit, including phishing configurations, credential logs, remote management tools, and session artifacts. The campaigns were linked to the Egyptian actor known as codemado and two additional operators using custom forks of the open-source Evilginx proxy. Attackers exploited misconfigured mail routing and spoof protections to deliver convincing phishing emails, capturing session cookies and OAuth tokens to maintain persistent access to Microsoft 365 accounts. The campaigns also deployed post-compromise remote access tools and anti-analysis measures to evade detection. At least 218 victims in 12 countries were confirmed in one campaign, with the largest operation running for over a year and primarily targeting corporate environments. All findings are corroborated by primary sources: The Hacker News, GBHackers, and the Microsoft Security Blog.
Technical Information
The incident centers on a misconfigured Python web server (python3 -m http.server 8080) left publicly accessible with directory listing enabled. This server, hosted at 185.163.204[.]7 in Budapest, exposed the full operational toolkit of an active Microsoft 365 phishing campaign. The .bash_history file revealed the command used to launch the server, providing investigators with a detailed snapshot of the attack infrastructure and methods.
Three separate phishing operations were identified, each running a custom fork of the open-source Evilginx proxy. The largest campaign had been active for over a year, primarily targeting corporate mailboxes. The attackers used two main methods to bypass MFA: one by proxying live login sessions (AiTM), and another by abusing the legitimate Microsoft device code authorization flow. The latter involved victims entering real authentication codes on Microsoft’s device-login portal, after which attackers captured the resulting tokens.
The campaigns leveraged complex mail routing and misconfigured spoof protections to deliver phishing emails that appeared to originate from within the target organization. These emails used lures themed around OneDrive, Adobe, DocuSign, SharePoint, and Microsoft Authenticator to entice users to malicious proxy sites. The Evilginx proxies intercepted credentials, session cookies, and OAuth tokens in real time, allowing attackers to bypass MFA and maintain persistent access to compromised accounts.
Post-compromise, the attackers deployed a range of remote management and access tools, including ScreenConnect, SimpleHelp, SuperOps, GetScreen.me, and XEOX. They also used AsyncRAT for remote access and persistence. The infrastructure included a Cloudflare Tunnel to hide the phishing servers behind CDN infrastructure, a Node.js anti-bot gateway with browser fingerprinting to evade automated analysis, and Telegram-based victim alerts for command and control.
The exposed server contained phishing configurations, Telegram session artifacts, credential logs, RMM installers, combolists, malicious droppers, backup archives, and shell history. The infrastructure was linked to the Egyptian actor codemado (also known as MaDoO and MaDosc), whose online activity dates back to at least 2018. Codemado’s campaign used domains under picis[.]net to proxy real Microsoft 365 login sessions, capturing authenticated session cookies and OAuth tokens. The campaign also reused credentials tied to the operator, including a password hardcoded in a phishing panel’s environment file.
A separate campaign operated by mail-argenta used the red-queen Evilginx fork to target Microsoft 365, Okta, GitHub, and other services. This fork implemented URL rewriting, session-cookie capture, and long-lived token retention, with cookies configured to last for one year. The third actor, saroula01, ran a device code flow phishing campaign using the black-queen framework, capturing tokens from victims in at least 12 countries and using automated token refresh to preserve access.
The campaigns were opportunistic, targeting a wide variety of organizations across multiple sectors and geographies. The use of phishing-as-a-service (PhaaS) platforms such as Tycoon2FA and “The Quarry” further lowered the barrier for MFA-bypass operations, providing ready-made phishing kits, delivery tooling, and remote access infrastructure.
Technical analysis from Lexfo, as reported by The Hacker News and GBHackers, provided forensic evidence of the exposed server, toolkit, and campaign infrastructure. The Microsoft Security Blog confirmed the scale of the threat, provided sector-wide detection and mitigation guidance, and highlighted the importance of phishing-resistant MFA, Conditional Access policies, token protection, and continuous access evaluation.
Affected Versions & Timeline
The campaigns targeted Microsoft 365 tenants, particularly those with misconfigured mail routing or insufficient spoof protections. The largest campaign ran for over a year, with the phishing domain picis[.]net registered on March 13, 2026. The codemado handle has been active in hacking communities since at least 2018. The Tycoon2FA and Evilginx-based phishing campaigns increased in visibility and scale throughout 2025 and 2026. Public disclosure of the misconfigured server and toolkit exposure occurred on July 13, 2026.
Threat Activity
The threat actors used sophisticated phishing techniques to bypass MFA and compromise Microsoft 365 accounts. They exploited misconfigured mail routing and spoof protections to deliver phishing emails that appeared to originate from within the target organization. The emails contained links to Evilginx proxy sites, which intercepted credentials, session cookies, and OAuth tokens in real time. Attackers used these artifacts to maintain persistent access to compromised accounts, even after victims completed MFA.
The campaigns deployed a range of post-compromise tools, including remote management agents and RATs, to establish persistence and facilitate further exploitation. The infrastructure included anti-analysis measures such as a Node.js anti-bot gateway and browser fingerprinting, as well as a Cloudflare Tunnel to anonymize the phishing servers. Telegram-based victim alerts were used for command and control.
The campaigns were linked to the Egyptian actor codemado and two additional operators using custom Evilginx forks. The actors leveraged phishing-as-a-service platforms to scale their operations and target a wide range of organizations globally. At least 218 victims in 12 countries were confirmed in one campaign, with the largest operation running for over a year and primarily targeting corporate environments.
Mitigation & Workarounds
Critical mitigations include enabling phishing-resistant MFA (such as FIDO2 security keys), enforcing Conditional Access policies, and enabling token protection and continuous access evaluation in Microsoft 365 environments. Organizations should review and harden mail routing and spoof protections, ensuring that MX records point directly to Office 365 and that SPF, DKIM, and DMARC policies are correctly configured. Security teams should investigate unusual device-code authentication activity, review OAuth application grants, revoke suspicious refresh tokens, and monitor for anomalous session reuse. Post-compromise, organizations should search for the presence of remote management tools and RATs, and review logs for evidence of session cookie or OAuth token theft. Regularly updating detection rules to include the latest indicators of compromise is essential.
Indicators of Compromise
The following indicators are point-in-time and should be validated before enforcement. They are drawn directly from primary sources and reflect the infrastructure and artifacts associated with the campaigns as of the publication dates.
Type | Indicator | Reported (date) | Source
|
Domain | picis[.]net | 2026-07-13 | https://gbhackers.com/evilginx-operators-stealing-microsoft-365/ |
Domain | queeenspropertyservices[.]ca | 2026-07-13 | https://gbhackers.com/evilginx-operators-stealing-microsoft-365/ |
IPv4 | 185.163.204[.]7 | 2026-07-13 | https://gbhackers.com/evilginx-operators-stealing-microsoft-365/ |
IPv4:Port | 216.180.245[.]166:50101 | 2026-07-13 | https://gbhackers.com/evilginx-operators-stealing-microsoft-365/ |
IPv4:Port | 188.227.196[.]240:7077 | 2026-07-13 | https://gbhackers.com/evilginx-operators-stealing-microsoft-365/ |
Domain | vinicious.picis[.]net | 2026-07-13 | https://gbhackers.com/evilginx-operators-stealing-microsoft-365/ |
IPv4 | 195.20.115[.]103 | 2026-07-13 | https://gbhackers.com/evilginx-operators-stealing-microsoft-365/ |
URL | verify.picis[.]net/verify-human | 2026-07-13 | https://gbhackers.com/evilginx-operators-stealing-microsoft-365/ |
Domain | agent01.xeox.com | 2026-07-13 | https://gbhackers.com/evilginx-operators-stealing-microsoft-365/ |
Domain | ws01.xeox.com | 2026-07-13 | https://gbhackers.com/evilginx-operators-stealing-microsoft-365/ |
IPv4/CIDR | 80.80.250[.]0/24 | 2026-07-13 | https://gbhackers.com/evilginx-operators-stealing-microsoft-365/ |
IPv4 | 162.19.196[.]13 | 2026-01-06 | https://www.microsoft.com/en-us/security/blog/2026/01/06/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/ |
IPv4 | 163.5.221[.]110 | 2026-01-06 | https://www.microsoft.com/en-us/security/blog/2026/01/06/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/ |
IPv4 | 51.195.94[.]194 | 2026-01-06 | https://www.microsoft.com/en-us/security/blog/2026/01/06/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/ |
IPv4 | 51.89.59[.]188 | 2026-01-06 | https://www.microsoft.com/en-us/security/blog/2026/01/06/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/ |
Domain | 2fa.valoufroo.in[.]net | 2026-01-06 | https://www.microsoft.com/en-us/security/blog/2026/01/06/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/ |
Domain | valoufroo.in[.]net | 2026-01-06 | https://www.microsoft.com/en-us/security/blog/2026/01/06/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/ |
Domain | integralsm[.]cl | 2026-01-06 | https://www.microsoft.com/en-us/security/blog/2026/01/06/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/ |
Domain | absoluteprintgroup[.]com | 2026-01-06 | https://www.microsoft.com/en-us/security/blog/2026/01/06/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/ |
References
https://thehackernews.com/search/label/Threat%20Intelligence (2026-07-13), https://gbhackers.com/evilginx-operators-stealing-microsoft-365/ (2026-07-13), https://www.microsoft.com/en-us/security/blog/2026/01/06/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/ (2026-01-06)
About Rescana
Rescana’s Third-Party Risk Management (TPRM) platform enables organizations to continuously monitor, assess, and manage the security posture of their external vendors and partners. Our platform provides actionable intelligence on exposed assets, misconfigurations, and emerging threats relevant to your supply chain and digital ecosystem.
We are happy to answer questions at info@rescana.com.



