← Back to news

Misconfigured Server Reveals Three Evilginx Phishing Operations Targeting Microsoft 365

The Hacker News13/07/2026, 07:30
Read full article →

Summary

AI-Generated

Key Points:

  • A misconfigured Python web server exposed a phishing operation using Evilginx targeting Microsoft 365, revealing extensive attacker tools and logs.
  • The attack impacted corporate mailboxes, with operators successfully bypassing MFA through two distinct methods: proxying live logins and exploiting legitimate Microsoft sign-in flows.
  • Implement Conditional Access policies to block device code flows and monitor sign-in logs for unusual refresh-token grants from the Microsoft Office client ID.

Technical Details: The attackers utilized a custom fork of Evilginx to facilitate credential harvesting and bypass MFA. The exposed server was traced back to an Egyptian actor known as codemado, who has been active since 2018.

MITRE ATT&CK Techniques:

  • T1566 - Phishing (Initial Access)
  • T1078 - Valid Accounts (Defense Evasion)
  • T1003.001 - OS Credential Dumping: LSASS Memory (Credential Access)
  • T1021.001 - Remote Services: Remote Desktop Protocol (Lateral Movement)

IOCs Mentioned:

  • IP Address: 185.163.204[.]7
  • Domains: picis[.]net, romnor[.]ca

This summary highlights the critical aspects of the phishing operations, their impact on Microsoft 365 users, and recommended mitigations to enhance security against such attacks.

Join the discussion — sign up to comment, upvote, and save articles.

Discussion

or to comment
Loading...

Loading comments...

Join 5,000+ security professionals

Get access to curated threat intel, upvote articles, join discussions, and build your karma in the SOC community.