
New Microsoft 365 Phishing Operations Expose Corporate Mailbox Weakness Across 12 Countries
Investigators uncovered three Microsoft 365 phishing campaigns run from a single misconfigured server, including one operation that captured credentials for 218 accounts across 12 countries—most of them corporate inboxes. The campaigns used Evilginx session theft and device code phishing, showing how attackers are sidestepping passwords and two-factor prompts to get inside companies’ email and data.
A single poorly secured server has exposed just how far phishing operators have pushed beyond fake login pages, turning Microsoft 365 accounts into a soft underbelly for corporate security in over a dozen countries.
Security researchers, examining an open directory on a misconfigured server, uncovered three separate phishing operations targeting Microsoft 365 users. One of the campaigns logged credentials and session data for 218 accounts spanning 12 countries, with roughly 94% of those accounts belonging to corporate mailboxes rather than personal users. The investigation sheds light on how attackers are refining their methods to bypass even well‑configured password and multi‑factor authentication (MFA) policies.
Instead of simply collecting usernames and passwords, the operators combined two techniques that strike at how modern authentication actually works: Evilginx‑based session hijacking and device code phishing. Evilginx is a man‑in‑the‑middle framework that intercepts traffic between a user and a legitimate website, allowing attackers to steal session cookies after the user successfully logs in. With those cookies, an attacker can often access an account without ever needing to re‑enter a password or MFA code.
Device code phishing, the second technique, abuses legitimate “device login” flows that are meant to make it easier to sign in from smart TVs, consoles or other hardware with limited input. By tricking users into entering a code on what appears to be a trusted Microsoft page, attackers can tie the resulting token to their own infrastructure and gain access without raising the red flags that traditional phishing URLs might trigger.
For companies, the human impact is not an abstract cyber statistic but a direct risk to inboxes that control contracts, payments and sensitive negotiations. A compromised corporate mailbox can be used to redirect invoices, push fake payment instructions to partners, request confidential files or silently monitor internal strategy discussions for months. The fact that nearly all of the 218 captured accounts belonged to organizations underscores that attackers are selecting targets where a single account can unlock large financial or intelligence payoffs.
Operationally, the campaigns show how phishing has evolved from one‑off email lures into structured, multi‑stage operations. By hosting multiple campaigns on the same server, the operators can rotate domains and lures while maintaining a central collection point for stolen data. The uncovered directory gave investigators an unusual window into their toolkit and victim list—but also suggests that other, better secured servers may be running similar campaigns without leaving obvious traces.
Strategically, the findings matter because Microsoft 365 has become core infrastructure for governments, critical industries and small businesses alike. When attackers can routinely bypass MFA on such a widely used platform, the security model for cloud email and productivity apps starts to look less like a fortress and more like a series of doors held shut by habits and heuristics. Compromised accounts in 12 countries also mean potential cross‑border effects, from supply chain fraud to leaked deal information and exposed personal data on employees and clients.
The broader pattern aligns with what defenders have been warning for years: credentials are no longer the only—or even the main—prize. Session tokens, device codes and identity federation links are equally valuable, and the weakest point is often how end‑users are trained to respond to “normal” sign‑in prompts. When the attack surface is the everyday login process itself, technical controls alone cannot fully close the gap.
The shareable lesson is blunt: if an attacker can steal your authenticated session, they don’t need your password; they can simply walk through the front door while security is busy staring at the lock.
Signals to watch next include whether Microsoft and major identity providers roll out new protections such as token binding, conditional access policies tuned to session‑stealing patterns, and better warnings around device code flows. Companies should expect more guidance from regulators and cyber agencies, and any surge in reported business email compromise tied to Microsoft 365 accounts would indicate that the techniques revealed by this investigation are already spreading beyond the three exposed campaigns.
Sources
- OSINT