A simple server misconfiguration has given security researchers an unusually detailed look inside three active phishing operations targeting Microsoft 365 users. By exposing a directory listing over HTTP, one threat actor inadvertently revealed phishing kits, malware, command-and-control infrastructure, Telegram bot configurations, victim data, and operational artifacts that allowed researchers to reconstruct multiple campaigns.
The investigation, published by Lexfo, linked the exposed infrastructure to three separate phishing operations that relied on adversary-in-the-middle (AiTM) phishing, Device Code phishing, and customized Evilginx frameworks designed to bypass multi-factor authentication (MFA). The findings highlight how a single operational mistake can expose months of attacker activity while providing defenders with valuable insight into modern phishing infrastructure.
One exposed server revealed far more than intended
The investigation began after researchers discovered an openly accessible directory listing running on a publicly exposed server. Instead of returning an error, the server exposed dozens of files and directories containing phishing frameworks, malware installers, archived tooling, shell history, configuration files, Telegram sessions, remote management software, and infrastructure used to operate phishing campaigns.
Among the recovered artifacts were customized Evilginx deployments, phishing templates targeting Microsoft 365 accounts, bulk email tooling, Cloudflare utilities, Telegram automation, and scripts used to manage infrastructure.

Image credit: Lexfo, “One Misconfigured Server, Three Active Campaigns: Full Exposure of Three AiTM Phishing Operators.” Available at: https://blog.lexfo.fr/opendir-to-phishing-operator.html
Three separate phishing operations emerged
Rather than uncovering a single phishing kit, the exposed server contained evidence of three independent but related operations.
One campaign relied on customized Evilginx infrastructure to perform adversary-in-the-middle phishing against Microsoft 365 users. Another used a modified phishing framework targeting multiple organizations, while a third focused on Microsoft’s Device Code authentication flow, allowing attackers to obtain legitimate access tokens after victims completed authentication through Microsoft’s own login pages.
Researchers identified hundreds of compromised accounts across the campaigns and observed infrastructure that had remained active for more than a year.
Two different methods for bypassing MFA
The research demonstrates that modern phishing campaigns increasingly target authentication sessions rather than passwords alone.
AiTM phishing frameworks such as Evilginx operate by placing themselves between victims and legitimate login portals. Users unknowingly authenticate against the real Microsoft login page while the reverse proxy captures session cookies that attackers can later reuse to bypass MFA.
Device Code phishing takes a different approach. Instead of stealing credentials directly, victims are tricked into entering a legitimate Microsoft device authentication code, authorizing the attacker to access their account through Microsoft’s own authentication workflow.
Because both techniques abuse legitimate authentication mechanisms, traditional password hygiene alone offers little protection once users complete the authentication process.
AI-assisted development also appeared inside the infrastructure
The exposed server contained evidence suggesting the operators used AI coding assistants during development. Researchers found commit metadata, development artifacts, and AI-generated code fragments associated with building and modifying phishing infrastructure.
The discovery adds to a growing body of research showing threat actors increasingly using generative AI to accelerate malware development, phishing kit customization, and infrastructure management. Earlier this week, BreachNews covered new research showing how attackers can exploit predictable AI hallucinations to trick coding assistants into retrieving malicious repositories.
Operational mistakes continue exposing threat actors
While phishing kits and malware often receive the most attention, researchers noted that operational security failures frequently provide the clearest picture of criminal infrastructure.
Exposed directory listings, forgotten development files, publicly accessible backups, shell history, and misconfigured servers continue to provide investigators with opportunities to identify infrastructure, map campaigns, and understand attacker workflows.
The findings echo previous investigations where exposed infrastructure allowed researchers to uncover broader malicious operations, including our coverage of infrastructure exposed during the WP-ShellStorm webshell campaign.
Defender takeaways
- Deploy phishing-resistant authentication methods such as passkeys or FIDO2 security keys wherever possible.
- Review whether Microsoft Device Code Flow is required and disable it for users who do not need it.
- Monitor Microsoft 365 environments for anomalous session token reuse, impossible travel events, and suspicious OAuth authorizations.
- Inspect network traffic for reverse proxy infrastructure commonly associated with AiTM phishing frameworks.
- Use Conditional Access policies to restrict high-risk sign-ins and require compliant devices.
- Train users that legitimate-looking Microsoft login pages can still be part of adversary-in-the-middle phishing attacks.












