A Misconfigured Server Unlocks Three-Actor Phishing Ecosystem
A single exposed directory reveals how multiple threat actors leverage AiTM tools and OAuth abuse to compromise corporate accounts.
Cybersecurity researchers have uncovered a significant operational leak originating from a misconfigured server in Budapest. By simply leaving directory listing enabled on a Python HTTP server, the threat actors behind a sophisticated phishing network inadvertently provided a complete roadmap of their malicious infrastructure, ranging from credential logs to remote session files.
An Exposed Arsenal of Threats
The investigation, conducted by security firm Lexfo, centered on an actor identified as codemado. This individual was found running an adversary-in-the-middle platform specifically designed to compromise Microsoft 365 accounts. The server did not merely contain phishing configurations; it housed a comprehensive suite of tools for maintaining long-term unauthorized access, including a custom bulk-mailing utility dubbed MaDoO Blaster and various installers for ScreenConnect.
The firm noted that the barrier to running a functional AiTM campaign has dropped close to zero, with components either free on GitHub or sold on Telegram for a few hundred dollars.
Tracking the Phishing Syndicate
While the server linked these activities to a specific actor active since 2018, the research revealed a broader ecosystem of three distinct individuals connected through code lineage. A second operator, known as mail-argenta, was identified through infostealer logs that exposed his own reused credentials, including a hardcoded MySQL password. A third actor, saroula01, utilized a different technique, building a framework that exploits the legitimate Microsoft OAuth Device Code Flow to capture tokens from unsuspecting victims.
Quantifying the Scope of Abuse
- 218: Total number of confirmed victims identified in the saroula01 campaign.
- 12: Number of countries where victim organizations were located.
- 94%: Percentage of victims identified as corporate entities.
- 25: Maximum number of times captured tokens were silently refreshed in the background.
Implications for Security Posture
The longevity of these campaigns—with the saroula01 operation running undetected for over a year—underscores a shift in how attackers maintain persistence. By using generative AI to assist in the development of their tooling and abusing trusted authentication flows, these operators have lowered the cost of entry for large-scale credential harvesting. For security teams, the primary takeaway is the necessity of assuming that MFA can be bypassed through session hijacking. Organizations should prioritize disabling unnecessary authentication features like the Device Code Flow, as threat actors continue to weaponize standard features to maintain quiet, long-term access to enterprise environments.