Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Major Microsoft 365 Phishing Operations Exposed by Server Error

Major Microsoft 365 Phishing Operations Exposed by Server Error

Posted on July 13, 2026 By CWS

An inadvertent server misconfiguration has unveiled significant phishing operations targeting Microsoft 365 users. The incident began when an attacker mistakenly left a Python web server publicly accessible, with directory listing enabled. This oversight allowed French security firm Lexfo to uncover the attacker’s toolkit and trace two additional phishing operations, all utilizing customized versions of the Evilginx proxy.

Uncovering the Phishing Campaigns

The phishing operations, primarily aimed at corporate mailboxes, used different methods to bypass multi-factor authentication (MFA). One approach involved proxying live logins, while the other exploited legitimate Microsoft sign-in flows. These varied tactics necessitate distinct defensive measures for organizations using Microsoft 365.

Exposure of the attack server’s directory listing revealed sensitive data such as phishing configurations, credential logs, and session files. The operations were traced back to an Egyptian actor known as codemado, active since 2018, who was monetizing access through a bulk mailing tool named MaDoO Blaster.

Techniques and Tactics Employed

Further investigation revealed that the phishing kits were not developed from scratch but cloned from public repositories. One kit, attributed to a Nigerian operator dubbed mail-argenta, included advanced features to evade security checks, such as modifying HTML attributes and enabling URL rewriting to bypass detection.

The third operation, linked to an unidentified actor called saroula01, leveraged Microsoft’s OAuth device code flow to capture tokens without directly intercepting passwords. This method involves generating a legitimate device code and guiding victims through a real Microsoft login, effectively bypassing MFA.

Implications and Defensive Strategies

The exposure of these operations highlights the evolving nature of phishing attacks and the increasing sophistication of adversaries. Organizations are advised to implement phishing-resistant MFA solutions and leverage Conditional Access policies to mitigate such threats. Microsoft recommends blocking the device code flow where feasible and utilizing IP-based location policies for enhanced security.

Additionally, the report underscores the role of AI in developing these phishing tools, with signs of AI-assisted coding evident in the operations. This trend suggests a growing reliance on AI to enhance the effectiveness and reach of cyber attacks.

Looking Ahead

As these phishing techniques become more prevalent, the security landscape must adapt accordingly. The relatively low barrier to entry for launching such campaigns poses a significant risk, emphasizing the need for robust cybersecurity measures and continuous vigilance.

The Lexfo report serves as a warning of the potential for future attacks and the importance of proactive defense strategies to safeguard sensitive data and systems against evolving threats.

The Hacker News Tags:AI, attack vectors, Conditional Access, cyber attack, cyber defense, Cybercrime, Cybersecurity, device code flow, Evilginx, Lexfo, MFA, Microsoft 365, Phishing, security breach, security measures

Post navigation

Previous Post: Citrix Enhances AI Security with New NetScaler Gateway
Next Post: Progress Urges ShareFile Shutdown Due to Security Risks

Related Posts

Hazy Hawk Exploits DNS Records to Hijack CDC, Corporate Domains for Malware Delivery Hazy Hawk Exploits DNS Records to Hijack CDC, Corporate Domains for Malware Delivery The Hacker News
AI Enhances Security Testing in Dynamic Environments AI Enhances Security Testing in Dynamic Environments The Hacker News
AI-Driven Ransomware Attack Exploits Langflow Vulnerability AI-Driven Ransomware Attack Exploits Langflow Vulnerability The Hacker News
Critical Cisco SD-WAN Vulnerability Exploited Since 2023 Critical Cisco SD-WAN Vulnerability Exploited Since 2023 The Hacker News
Long-Running Web Skimming Campaign Steals Credit Cards From Online Checkout Pages Long-Running Web Skimming Campaign Steals Credit Cards From Online Checkout Pages The Hacker News
PoisonSeed Hackers Bypass FIDO Keys Using QR Phishing and Cross-Device Sign-In Abuse PoisonSeed Hackers Bypass FIDO Keys Using QR Phishing and Cross-Device Sign-In Abuse The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Hackers Exploit jscrambler in Supply Chain Attack
  • Zimbra Addresses Critical Code Execution Flaw
  • Hackers Exploit Academic Events to Deploy RokRAT
  • Progress Urges ShareFile Shutdown Due to Security Risks
  • Major Microsoft 365 Phishing Operations Exposed by Server Error

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Hackers Exploit jscrambler in Supply Chain Attack
  • Zimbra Addresses Critical Code Execution Flaw
  • Hackers Exploit Academic Events to Deploy RokRAT
  • Progress Urges ShareFile Shutdown Due to Security Risks
  • Major Microsoft 365 Phishing Operations Exposed by Server Error

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark