A misconfigured server in Budapest has exposed a phishing toolkit operated by three individuals targeting Microsoft 365 accounts through an Evilginx-based platform. Research from cybersecurity firm Lexfo revealed that the open directory included phishing configurations and credential logs. The main operator, codemado, has ties to an Egyptian hacker and utilizes tools like ScreenConnect for remote management.
Another actor, mail-argenta, and a third, saroula01, built a framework exploiting legitimate Microsoft features for unauthorized access, collectively affecting over 218 victims. The research highlights the lowered barrier for executing such phishing campaigns and recommends disabling unnecessary authentication methods to enhance security.