OPSEC Failure Exposes AiTM Phishing Against Microsoft 365

Even the most carefully constructed digital fortress can crumble when a single administrator forgets to lock a back door, leaving the keys dangling in plain sight for the world to see. This reality recently played out in Budapest, where a simple operational security blunder by a threat actor provided security researchers with a rare, unfiltered look into a global phishing network. By following this guide, security professionals can understand the specific mechanics behind modern Adversary-in-the-Middle (AiTM) attacks and learn how to identify the subtle footprints left by sophisticated actors targeting Microsoft 365 environments.

The exposure was not the result of a zero-day vulnerability or an advanced forensic investigation but rather a basic failure to secure a Python-based web server. When the operator executed a simple directory listing command, they inadvertently mapped out their entire infrastructure for anyone to find. This guide details the step-by-step unmasking of these operations and provides the necessary strategies to harden corporate identities against the very tactics revealed by this mistake.

How a Single Directory Listing Unveiled a Global Phishing Network

The investigation began when a threat actor, operating from a server in Budapest, activated a Python web server using the basic directory listing functionality. This mistake allowed outsiders to browse the server’s entire file system, which contained an archive of the operator’s digital life and criminal enterprise. Inside these directories were Bash history logs, which recorded every command the attacker had typed, along with configuration files for phishing kits, logs of stolen credentials, and even personal Telegram session files that revealed the identity of the operator.

Moreover, the exposed data provided a chronological map of how the infrastructure was built and maintained. Researchers could see the exact moment various phishing frameworks were downloaded, modified, and deployed against targets. This level of transparency is almost unheard of in the world of cybercrime, where actors usually go to great lengths to obfuscate their tracks. The blunder served as a masterclass in how modern phishing-as-a-service operations function on a technical level, from the initial server setup to the final extraction of corporate data.

The Evolution of Session Hijacking and Adversary-in-the-Middle Tactics

The traditional era of simple password theft is rapidly coming to an end as organizations adopt Multi-Factor Authentication (MFA) as a baseline security requirement. In response, threat actors have moved toward Adversary-in-the-Middle tactics, which involve placing a malicious proxy between the user and the legitimate service. Instead of stealing a static password, the attacker captures the session cookie generated after a successful MFA challenge. This allows the criminal to hijack the authenticated session entirely, bypassing the need for a secondary verification code or biometric check.

Furthermore, this shift represents a fundamental change in the economics of phishing. Standard phishing kits are no longer sufficient to breach high-value corporate targets that use modern identity providers. The AiTM methodology requires more technical resources, including the maintenance of reverse proxies and the ability to rewrite web traffic in real-time. The Budapest server exposure highlights that even though these attacks are more complex, they have been industrialized through automated frameworks that make session hijacking accessible to a wider range of criminals.

Anatomy of the Breach: Three Campaigns Unmasked by One Error

Step 1: Investigating the “Codemado” Infrastructure and Bulk-Mailing Tactics

The first layer of the breach uncovered the activities of an Egyptian national who used the handle codemado. This individual acted as an infrastructure provider, setting up the foundation for large-scale phishing campaigns. His operation centered on a customized domain and a bulk-mailing tool known as MaDoO Blaster, which was used to send thousands of deceptive emails to employees at various companies. The infrastructure was designed to be modular, allowing the actor to swap out different components of the phishing kit depending on the target’s security posture.

The investigation revealed that codemado was not just a developer but also a coordinator who managed the flow of stolen data from various landing pages to a central repository. His use of standardized tools allowed him to scale his operations across multiple continents, focusing particularly on corporate targets in France and North America. This step in the analysis demonstrates how a single facilitator can enable a vast network of attacks by providing the necessary technical backbone for others to exploit.

Insight: The Persistence of Session Token Refreshing

A critical feature of the codemado toolkit was its ability to perform session token refreshing. Most session cookies have a limited lifespan, but the attacker’s framework was programmed to automatically request new tokens before the old ones expired. This ensured that the compromise was not just a one-time event but a persistent bridge into the victim’s environment.

By keeping these tokens alive, the attacker could maintain access to corporate mailboxes and internal documents for weeks or months. This tactic effectively neutralized the security benefit of short-lived sessions, as the automated system handled the renewal process without requiring any further interaction from the unsuspecting user.

Step 2: Analyzing the “Red-Queen” Fork and Technical Evasion Techniques

The second campaign identified was linked to an actor known as mail-argenta, who utilized a highly sophisticated variant of the Evilginx framework called red-queen. This version of the tool was heavily modified to include advanced evasion techniques that sought to hide the proxy’s presence from both users and security scanners. The red-queen fork implemented a custom URL-rewriting engine that changed the structure of the phishing links dynamically, making it difficult for automated systems to flag the malicious domains based on known patterns.

Additionally, the operator behind this campaign displayed a high level of technical proficiency by customizing the way the proxy handled web resources. The server logs showed that the actor was constantly monitoring the effectiveness of their landing pages and making real-time adjustments to bypass new security filters. This ongoing refinement process shows that modern phishing is a cat-and-mouse game where attackers are willing to invest significant time into perfecting their technical evasion strategies.

Warning: Bypassing Subresource Integrity (SRI) Checks

The red-queen kit specifically targeted Subresource Integrity protocols, which are designed to ensure that the scripts loaded by a browser have not been tampered with. The attacker’s code was modified to rename specific HTML attributes such as crossorigin and integrity during the proxying process. This effectively disabled the browser’s ability to verify the scripts, allowing the attacker to inject malicious code into the legitimate page content.

This technique is particularly dangerous because it happens entirely in the background. The user sees a perfect replica of the Microsoft login page, and even the browser’s built-in security checks are tricked into believing that the site’s resources are legitimate. It highlights the lengths to which attackers go to maintain the illusion of a secure connection.

Step 3: Exploiting Microsoft’s Device Code Flow with “Black-Queen”

The third operation, managed under the handle saroula01, utilized a framework known as black-queen. This operation abandoned the traditional proxy approach in favor of abusing the Microsoft device code flow. In this attack, the victim is tricked into entering a specific code on a legitimate Microsoft login page. Because the victim is interacting with the real domain, the authentication appears completely normal to the user and to most security monitoring tools.

Once the code is entered, the attacker’s backend system completes the authentication process on its own device, effectively stealing the resulting session token. This method is exceptionally stealthy because it does not require a complex reverse proxy setup and can be used to bypass even the most stringent MFA configurations. The black-queen framework was found to have successfully compromised over two hundred corporate accounts across a dozen countries during its period of operation.

Critical Risk: Why FIDO2 Cannot Stop Device Code Abuse

The use of device code flows presents a unique challenge because it can bypass hardware-backed protections like FIDO2 security keys. These keys rely on origin binding, meaning they will only authenticate if the browser is on the correct domain. However, in a device code attack, the victim is on the correct domain, so the FIDO2 key functions as intended and approves the login.

The problem lies in the fact that the authentication is being performed for the attacker’s device, not the victim’s. This nuance makes the device code flow a high-risk vector that many organizations overlook. It proves that even the strongest MFA methods can be defeated if the authentication protocol itself is being abused.

Step 4: Leveraging AI as the “Glue Code” for Modern Cybercrime

A significant discovery across all three operations was the use of generative artificial intelligence to assist in the development of malicious code. Researchers found evidence that the actors were using AI to write configuration scripts, troubleshoot bugs in their proxy frameworks, and even craft more convincing phishing emails. AI acted as a force multiplier, allowing actors with moderate technical skills to produce highly sophisticated results that would normally require a team of developers.

Furthermore, the integration of AI was seen in the automation of the phishing lifecycle. AI models were used to generate dynamic content that could change based on the target, making it harder for signature-based detection systems to keep up. This trend suggests that the barrier to entry for high-level cybercrime is continuing to lower, as AI takes over the more tedious and complex aspects of infrastructure management.

Trend: Generative AI in Malicious Development Cycles

The use of AI in these campaigns was not limited to simple tasks; it was deeply embedded in the development cycle. Attackers utilized AI to create custom URL-rewriting engines and to automate the process of refreshing stolen session tokens. This allowed the actors to focus on the strategic aspects of their campaigns while the AI handled the technical execution and maintenance.

As these AI tools become more accessible and less restricted, the speed and scale of phishing attacks are likely to increase. The Budapest server exposure provided a glimpse into a future where AI-driven automation is the standard for cybercriminal operations, necessitating a corresponding shift in how security teams approach defense and threat hunting.

Key Findings from the Budapest Server Exposure

The artifacts recovered from the Budapest server provided several critical insights into the current state of the phishing ecosystem. First, the infrastructure was surprisingly persistent, with attackers using long TTL settings on captured cookies to maintain access for up to a year. Second, the targeting was highly specific, focusing on Microsoft 365 environments within North America and France, indicating a coordinated effort to hit high-value Western corporate targets.

Moreover, the connectivity between the three operations revealed a broader underground network known as The Quarry. This ecosystem functions like a professional supply chain, where developers sell specialized tools and infrastructure to different operators. This collaborative environment allows individual criminals to launch sophisticated attacks without having to build everything from scratch, making the overall threat landscape much more dangerous and resilient.

Shifting Paradigms in Enterprise Identity Protection

The success of these phishing operations demonstrates that the industry must move beyond a simple reliance on Multi-Factor Authentication. The focus is now shifting toward identity-first security, which involves analyzing the context of every login attempt rather than just checking for a password and a code. This includes evaluating the device’s health, the user’s location, and the specific authentication protocol being used to access the resource.

Furthermore, organizations must recognize that legitimate features like the device code flow can be turned into weapons. Security policies need to be granular enough to disable these protocols when they are not strictly necessary. As threat actors continue to professionalize their operations through platforms like The Quarry, the only effective defense is a multi-layered strategy that treats every identity as a potential point of failure.

Strategic Defenses: Moving Beyond Basic Multi-Factor Authentication

To protect against the tactics revealed by the Budapest exposure, security teams implemented a series of hardened defensive measures. One of the most effective steps was the implementation of phishing-resistant MFA, such as Windows Hello for Business or FIDO2 keys, which specifically prevent the types of proxy-based attacks used by Evilginx. These methods ensure that even if a user is tricked, the authentication process cannot be intercepted by a middleman.

In addition to hardware-backed security, organizations adopted Continuous Access Evaluation to monitor sessions in real-time. This allowed for the immediate revocation of access if a user’s risk level changed or if a login originated from a suspicious location. Security administrators also began blocking the device code flow through Conditional Access policies, effectively closing the door on frameworks like black-queen. These proactive steps moved the industry away from reactive defense and toward a more resilient posture.

The investigation into the Budapest server and the subsequent unmasking of the various phishing campaigns provided a vital roadmap for modern cybersecurity. It demonstrated that even the most technically proficient actors were prone to human error, and these mistakes offered a unique opportunity to study and counter their methods. By analyzing the intersection of AI-driven automation and identity-based attacks, the security community gained the insights necessary to develop more robust protection strategies. The transition to identity-first security protocols became the standard response to a world where a single stolen session token could jeopardize an entire enterprise. This evolution reflected a deeper understanding that identity is the new perimeter, and its protection required constant vigilance and the abandonment of outdated security assumptions. Past failures in operational security by the attackers ultimately served to strengthen the global defense network against future intrusions.

subscription-bg
Subscribe to Our Weekly News Digest

Stay up-to-date with the latest security news delivered weekly to your inbox.

Invalid Email Address
subscription-bg
Subscribe to Our Weekly News Digest

Stay up-to-date with the latest security news delivered weekly to your inbox.

Invalid Email Address