Exposed Phishing Infrastructure Reveals Three Active Microsoft 365 Campaigns

An exposed directory listing allowed researchers to reconstruct three active Microsoft 365 phishing campaigns using Evilginx, Device Code phishing, and customized infrastructure.
Illustration of Microsoft 365 phishing infrastructure showing interconnected phishing servers targeting Microsoft 365 authentication.

A simple server misconfiguration has given security researchers an unusually detailed look inside three active phishing operations targeting Microsoft 365 users. By exposing a directory listing over HTTP, one threat actor inadvertently revealed phishing kits, malware, command-and-control infrastructure, Telegram bot configurations, victim data, and operational artifacts that allowed researchers to reconstruct multiple campaigns.

The investigation, published by Lexfo, linked the exposed infrastructure to three separate phishing operations that relied on adversary-in-the-middle (AiTM) phishing, Device Code phishing, and customized Evilginx frameworks designed to bypass multi-factor authentication (MFA). The findings highlight how a single operational mistake can expose months of attacker activity while providing defenders with valuable insight into modern phishing infrastructure.

One exposed server revealed far more than intended

The investigation began after researchers discovered an openly accessible directory listing running on a publicly exposed server. Instead of returning an error, the server exposed dozens of files and directories containing phishing frameworks, malware installers, archived tooling, shell history, configuration files, Telegram sessions, remote management software, and infrastructure used to operate phishing campaigns.

Among the recovered artifacts were customized Evilginx deployments, phishing templates targeting Microsoft 365 accounts, bulk email tooling, Cloudflare utilities, Telegram automation, and scripts used to manage infrastructure.

Directory listing from an exposed server showing phishing infrastructure, Evilginx files, malware archives, scripts, and operational artifacts uncovered during Lexfo's investigation.
An exposed directory listing revealed phishing infrastructure, malware, configuration files, and operational artifacts that allowed researchers to reconstruct three active Microsoft 365 phishing campaigns.
Image credit: Lexfo, “One Misconfigured Server, Three Active Campaigns: Full Exposure of Three AiTM Phishing Operators.” Available at: https://blog.lexfo.fr/opendir-to-phishing-operator.html

Three separate phishing operations emerged

Rather than uncovering a single phishing kit, the exposed server contained evidence of three independent but related operations.

One campaign relied on customized Evilginx infrastructure to perform adversary-in-the-middle phishing against Microsoft 365 users. Another used a modified phishing framework targeting multiple organizations, while a third focused on Microsoft’s Device Code authentication flow, allowing attackers to obtain legitimate access tokens after victims completed authentication through Microsoft’s own login pages.

Researchers identified hundreds of compromised accounts across the campaigns and observed infrastructure that had remained active for more than a year.

Two different methods for bypassing MFA

The research demonstrates that modern phishing campaigns increasingly target authentication sessions rather than passwords alone.

AiTM phishing frameworks such as Evilginx operate by placing themselves between victims and legitimate login portals. Users unknowingly authenticate against the real Microsoft login page while the reverse proxy captures session cookies that attackers can later reuse to bypass MFA.

Device Code phishing takes a different approach. Instead of stealing credentials directly, victims are tricked into entering a legitimate Microsoft device authentication code, authorizing the attacker to access their account through Microsoft’s own authentication workflow.

Because both techniques abuse legitimate authentication mechanisms, traditional password hygiene alone offers little protection once users complete the authentication process.

AI-assisted development also appeared inside the infrastructure

The exposed server contained evidence suggesting the operators used AI coding assistants during development. Researchers found commit metadata, development artifacts, and AI-generated code fragments associated with building and modifying phishing infrastructure.

The discovery adds to a growing body of research showing threat actors increasingly using generative AI to accelerate malware development, phishing kit customization, and infrastructure management. Earlier this week, BreachNews covered new research showing how attackers can exploit predictable AI hallucinations to trick coding assistants into retrieving malicious repositories.

Operational mistakes continue exposing threat actors

While phishing kits and malware often receive the most attention, researchers noted that operational security failures frequently provide the clearest picture of criminal infrastructure.

Exposed directory listings, forgotten development files, publicly accessible backups, shell history, and misconfigured servers continue to provide investigators with opportunities to identify infrastructure, map campaigns, and understand attacker workflows.

The findings echo previous investigations where exposed infrastructure allowed researchers to uncover broader malicious operations, including our coverage of infrastructure exposed during the WP-ShellStorm webshell campaign.

Defender takeaways

  • Deploy phishing-resistant authentication methods such as passkeys or FIDO2 security keys wherever possible.
  • Review whether Microsoft Device Code Flow is required and disable it for users who do not need it.
  • Monitor Microsoft 365 environments for anomalous session token reuse, impossible travel events, and suspicious OAuth authorizations.
  • Inspect network traffic for reverse proxy infrastructure commonly associated with AiTM phishing frameworks.
  • Use Conditional Access policies to restrict high-risk sign-ins and require compliant devices.
  • Train users that legitimate-looking Microsoft login pages can still be part of adversary-in-the-middle phishing attacks.

Sources

X
LinkedIn
Reddit
Telegram
WhatsApp
Threads
Facebook
Email
Print
Picture of m00s3c

m00s3c

Moose (@m00s3c) is the author of BreachNews, focusing on data breach intelligence, dark web monitoring, and threat analysis. His work involves analyzing breach claims, reviewing leaked datasets, and tracking threat actor activity to provide clear, factual reporting.

Latest News

Newsletter signup

Get the latest data breach and security news.

Please wait...

Thank you for signing up!

BREACHNEWS.COM/SUPPORT/

Support Independent News.

Help support breach monitoring, investigations, infrastructure, and reporting.

Support the site
INTEL.BREACHNEWS.COM

Live Cyber
Threat Map

Explore live cyber activity, recent breach reports, KEV alerts, and public threat feeds from a single interactive dashboard.

Launch Threat Map