Exposed Evilginx Phishing Kits Leak Microsoft 365 Tokens, 3 Campaigns Revealed
Researchers have uncovered an exposed open directory on a Budapest-hosted server that has leaked detailed operational artifacts from three active phishing campaigns abusing Evilginx-derived tooling to target Microsoft 365 users.
The directory, served by a Python HTTP server on port 8080 at 185.163.204.7 with directory listing enabled, contained phishing configurations, session logs, remote management tooling, malware droppers, Telegram artifacts, credential lists, and source code tied to operators using the handles codemado, saroula01, and mail-argenta.
The finds, published by Lexfo, provide a rare window into modern adversary-in-the-middle (AiTM) and OAuth-based phishing operations and the post-compromise ecosystems that support them.
Exposed Evilginx Phishing
The operation attributed to codemado (MaDoO) relied on a customized Evilginx fork hosted under picis[.]net and used a Node.js anti-bot gateway at verify[.]picis[.]net/verify-human plus a Cloudflare Tunnel to filter automated scanners.
Lures impersonated widely used services, Microsoft Office, OneDrive, Microsoft Authenticator, Adobe, DocuSign, and SharePoint, aimed at corporate Microsoft 365 accounts.
The setup harvested session cookies and OAuth tokens in real time, enabling attackers to bypass conventional multi-factor authentication (MFA) by hijacking live sessions instead of depending solely on passwords.
The exposed repository also included a full post-compromise toolkit: remote-management platforms (ScreenConnect, SimpleHelp, SuperOps, GetScreen.me, XEOX RMM, ITarian), obfuscated PowerShell and VBScript droppers, trojanized MSI installers, credential stealers, and indicators linked to AsyncRAT, demonstrating how credential capture and lateral access tooling are integrated into modern phishing workflows.
A second campaign, linked to saroula01, used a modified Evilginx project named black-queen to exploit Microsoft’s OAuth Device Code Flow.
Rather than presenting a fake login page, this attack coerces victims to the legitimate device login endpoint and tricks them into entering attacker-provided device codes.
After authentication, the infrastructure programmatically queries Microsoft’s token endpoint to retrieve access and refresh tokens.
Git history exposed in the directory reportedly showed 97 accumulated Microsoft OAuth tokens with automated token refresh functionality, and telemetry indicates 218 confirmed victims across 12 countries dating back to at least June 2025.
This Device Code Flow abuse highlights how OAuth mechanisms intended for usability can be repurposed to achieve persistent access if not tightly controlled.
The third actor, mail-argenta, operated a red-queen Evilginx fork and multiple Puppeteer-based phishing panels targeting Microsoft 365, Kraken, LinkedIn, eHarmony, Gmail, GitHub, and other platforms. Red-queen featured URL rewriting, email pre-fill, long-lived cookie capture, and techniques to weaken browser script integrity protections during reverse-proxy phishing.
Investigation found overlap in tools and frameworks across the three operators, though no definitive operational coordination, an indication that the ready availability of Evilginx forks, prebuilt phishing kits, Telegram-based orchestration, and AI-assisted development is lowering the technical barrier for sophisticated MFA-bypass attacks.
Defensive implications are immediate. Organizations should review and, where appropriate, restrict Device Code Flow via Conditional Access policies; enable Continuous Access Evaluation (CAE) to reduce the window for token misuse; and monitor OAuth grants, particularly those including Mail.
ReadWrite and Mail.Send. Security teams should also alert on anomalous refresh-token activity from unfamiliar client IDs or geolocations and search for unexpected RMM deployments tied to suspicious external domains.
Proactive hunting for connections to known phishing infrastructure and blocking the listed IOCs (defanged in public reporting) within SIEM and threat intelligence platforms will help mitigate current risk.
The exposed directory is a cautionary example of how operational errors, leaving sensitive tooling publicly accessible, can yield intelligence that both reveals attacker tactics and offers defenders actionable signals to disrupt ongoing campaigns.
No Comment! Be the first one.