Updated
Updated · The Hacker News · Jul 13
Lexfo Exposes 3 Microsoft 365 Phishing Operations via Open Port 8080 Server
Updated
Updated · The Hacker News · Jul 13

Lexfo Exposes 3 Microsoft 365 Phishing Operations via Open Port 8080 Server

1 articles · Updated · The Hacker News · Jul 13

Summary

  • Three active Microsoft 365 phishing campaigns were uncovered after one operator left a Python server on port 8080 publicly listing files, exposing configs, logs, Telegram sessions and bash history.
  • Lexfo traced the first operator—tracked as codemado—to an Evilginx adversary-in-the-middle setup on picis[.]net, then used cloned GitHub tooling on the server to identify two more active operators.
  • One fork, red-queen, modified Evilginx to evade detection and set captured Microsoft session cookies to a 31,536,000-second lifetime; another, black-queen, used Microsoft’s legitimate device-code flow and logged 218 captured accounts across 12 countries.
  • The distinction matters for defense: FIDO2, passkeys and phishing-resistant MFA stop reverse-proxy Evilginx attacks, but not device-code abuse completed on genuine Microsoft pages.
  • Lexfo said blocking device-code flow with Conditional Access, monitoring suspicious token refreshes, and treating domains and IPs as short-lived indicators are critical as low-cost public kits and AI-assisted glue code lower the barrier to entry.

Insights

How can you trust Microsoft's login page when hackers use it to bypass your best security?
With AI models now being 'abliterated' for cybercrime, have we already lost control of AI safety?

218 Corporate Victims in 12 Countries: Inside the 2026 Evilginx-AI Phishing Campaigns Exposed by Server Misconfiguration

Overview

In early July 2026, French security firm Lexfo discovered a critical vulnerability when they found a public server running a Python HTTP server with directory listing enabled on port 8080. This misconfiguration allowed unrestricted access to the server’s entire contents, exposing the attackers’ complete toolkit. As a result, Lexfo gained a comprehensive view into the inner workings of three sophisticated phishing campaigns that used custom-modified Evilginx proxy tools. The exposed data included detailed phishing configurations, stolen credentials, remote management tools, and session artifacts, providing invaluable insights into the attackers’ methods and targets.

...