Ethical Hacking News
Three phishing operations targeting Microsoft 365 have been uncovered, using techniques such as device code flow bypass and proxying live login sessions to evade MFA protections. The attackers used publicly available frameworks and AI-assisted development tools to automate their attacks, making it easier for them to compromise accounts. Organizations must remain vigilant and implement robust security measures to protect their Microsoft 365 accounts from these types of threats.
A French security firm, Lexfo, discovered a complex web of phishing operations targeting Microsoft 365, leaving misconfigured servers and compromised credentials in their wake. An Egyptian attacker, identified as "codemado," was running a Microsoft 365 AiTM platform on a picis.net domain and monetizing access through a bulk mailer called MaDoO Blaster. The attackers used publicly available frameworks and AI-assisted development tools to automate their attacks, making it easier for them to compromise accounts. Device code flow bypass was one of the techniques used by attackers, which allows them to bypass MFA protections by generating a real device code and wrapping it in an Authenticator-themed lure page. The attackers were able to run their campaigns for over a year, capturing 218 distinct accounts across a dozen countries using these techniques.
A recent discovery has shed light on a complex web of phishing operations targeting Microsoft 365, leaving a trail of misconfigured servers and compromised credentials in their wake. The revelation is attributed to a French security firm, Lexfo, which analyzed a Python web server left open by an attacker and uncovered the entire toolkit used by the operator.
The attack began with a simple command: `python3 -m http.server 8080`, which was still present in the `.bash_history` file. This innocuous-looking line of code inadvertently revealed the attacker's identity, providing Lexfo researchers with a wealth of information about their operations. The attacker, identified as an Egyptian actor known by his handle "codemado," had been running a Microsoft 365 AiTM platform on a picis.net domain and monetizing access through a bulk mailer called MaDoO Blaster.
Further investigation revealed that codemado had cloned the Evilginx proxy framework from public GitHub, modifying it to suit their needs. The resulting phishing campaigns targeted corporate mailboxes across several countries, with the attackers using two distinct methods to bypass MFA: one by proxying live login sessions and another by abusing legitimate Microsoft sign-in flows.
The most sophisticated of the three phishing operations, led by an operator known only as "saroula01," employed a device code flow to bypass MFA. This technique, which has been documented by Microsoft since February 2025, involves generating a real device code and wrapping it in an Authenticator-themed lure page. The victim is then prompted to enter the code on a genuine Microsoft page, effectively clearing MFA themselves.
The use of this technique, combined with the exploitation of other vulnerabilities, allowed saroula01's campaign to run for over a year, resulting in the capture of 218 distinct accounts across a dozen countries. The framework used by these attackers was largely based on open-source tools, with some minor modifications made to suit their needs.
Lexfo researchers note that the barrier to entry for these types of attacks has fallen significantly in recent months, with the proliferation of publicly available frameworks and AI-assisted development tools making it easier for attackers to create complex phishing campaigns. The use of these tools also allows attackers to automate many aspects of the attack process, making them more difficult to detect.
In response to this growing threat, Microsoft has issued guidance on how to secure against device code flow attacks. This includes blocking device code flow wherever possible and using Conditional Access policies to mitigate the risk. Additionally, defenders can use IP-based Conditional Access location policies and Continuous Access Evaluation to identify and block stolen tokens.
As the threat landscape continues to evolve, it is essential for organizations to remain vigilant and take proactive measures to protect their Microsoft 365 accounts from these types of attacks. By staying informed about the latest threats and implementing robust security measures, businesses can reduce the risk of falling victim to these sophisticated phishing operations.
Three phishing operations targeting Microsoft 365 have been uncovered, using techniques such as device code flow bypass and proxying live login sessions to evade MFA protections. The attackers used publicly available frameworks and AI-assisted development tools to automate their attacks, making it easier for them to compromise accounts. Organizations must remain vigilant and implement robust security measures to protect their Microsoft 365 accounts from these types of threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Misconfigured-Server-Leaves-Trail-of-Deception-A-Study-in-Phishing-Operations-Targeting-Microsoft-365-ehn.shtml
https://thehackernews.com/2026/07/misconfigured-server-reveals-three.html
Published: Mon Jul 13 04:13:55 2026 by llama3.2 3B Q4_K_M