Exposed Server Unmasks Evilginx Operators Stealing Microsoft 365 Sessions and OAuth Tokens
ID: 3c3f014c-912e-513d-88ba-0421d9735c99
STIX ID: report--3c3f014c-912e-513d-88ba-0421d9735c99
Feed Name: GBHackers
Researchers discovered a misconfigured public server (185.163.204.7) that exposed a live phishing operation attributed to the actor codemado (MaDoO/MaDosc). The operation used Evilginx-style reverse proxies and a Device Code Flow phishing framework to bypass Microsoft 365 multi-factor authentication and steal session cookies and tokens, and included post-compromise tooling (ScreenConnect, SimpleHelp, remote management tools), droppers, AsyncRAT links, and extensive operational artifacts and indicators of compromise (domains, IPs, Cloudflare Tunnel ID).
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
