An attacker’s misconfigured server gave French security firm Lexfo an unobstructed view of three concurrent Microsoft 365 phishing campaigns — including stolen credentials, operator identities, infrastructure addresses, and post-compromise tools — after the operator left a Python HTTP server running with directory listing enabled. The exposure reveals how adversary-in-the-middle phishing operations now combine commodity off-the-shelf tools with AI coding assistance to run credential-theft pipelines against corporate M365 accounts at scale.
How Lexfo Discovered Three Live Evilginx M365 Campaigns on an Exposed Server
Lexfo researchers identified the open server and found the operator had started a Python HTTP server using the command python3 -m http.server 8080 with directory listing enabled, making the entire toolkit accessible. Captured credential logs, Evilginx campaign configuration files, and a .bash_history file documenting the operator’s command-line activity were all openly readable.
Three Operators, 218 Captured Corporate Accounts, and Over a Year of Running
The server contained three distinct Evilginx campaigns that had collectively captured 218 accounts across a dozen countries. Approximately 94 percent of the compromised credentials belonged to corporate mailboxes. One campaign had run for more than a year before Lexfo’s discovery. Three operator handles were identified from the server’s contents: “codemado,” assessed as Egyptian and active on voice-over-IP and hacking forums since 2018; “mail-argenta,” assessed as Nigerian; and “saroula01,” unidentified but running the largest of the three campaigns. The server infrastructure included IP address 185.163.204[.]7 in Budapest and the domains picis[.]net and romnor[.]ca.
AiTM Reverse Proxy and OAuth Device Code Abuse Used to Defeat MFA
The campaigns used two distinct MFA bypass techniques. The primary method is the adversary-in-the-middle approach that Evilginx implements: a reverse proxy sits between the victim and the legitimate Microsoft 365 login portal, intercepting the session cookie after the victim completes MFA. The second method abuses Microsoft’s OAuth device code flow — a legitimate authentication path designed for devices without browsers — by redirecting the authorization exchange to capture persistent credentials. Both techniques allow attackers to access accounts with MFA enabled, since the captured session token or device authorization grants the same access as a fully authenticated user without requiring the victim’s second factor again.
AI Coding Tools and Post-Compromise Infrastructure Found on the Server
The exposed directory contained more than the three phishing campaigns — it documented the operators’ full post-compromise stack and their development workflow.
MaDoO Blaster, SimpleHelp, and Claude and CyberNeurova APIs in the Operator Toolkit
The server held MaDoO Blaster, a bulk mailer staged for post-compromise monetization against captured mailboxes, and SimpleHelp, a commercial remote monitoring and management tool. The .bash_history file documented the operator’s use of Claude and CyberNeurova APIs for AI-assisted phishing infrastructure development. This is a direct record — from the attacker’s own command history — of AI coding tools being used to build and refine phishing kits. The use of AI assistance does not indicate advanced technical skill; it shows that AI lowers the barrier for building and iterating credential-theft infrastructure without specialized programming expertise.
These operators do not exhibit characteristics of advanced persistent threat groups. “codemado”‘s eight-year presence on VoIP and hacking forums, the commoditized nature of all tools found on the server, and the operational security failure that exposed the server are all consistent with mid-tier criminal operators rather than state-sponsored groups.
The Defender Value of the Exposed Infrastructure Details
The Lexfo discovery delivers an unusually complete operational picture of a live phishing operation: campaign configurations, captured account lists, operator handles, infrastructure addresses, and the full toolset — all from a single accidental disclosure. Most phishing campaign analysis works from network telemetry or credential auction listings; this case provided direct access to the operational backend while campaigns were still active.
The infrastructure addresses and domains identified — 185.163.204[.]7, picis[.]net, and romnor[.]ca — are now available for use in network blocklists and threat intelligence feeds. Organizations that detect connections to these endpoints should investigate for active Microsoft 365 credential compromise. Security teams should also audit OAuth device code flow authorizations in their M365 tenants for unauthorized persistent grants, since device code authorizations can survive past the expiration of standard session tokens and maintain access well beyond what a session-hijacking attack alone would provide.
