Kali365 PhaaS Operation Expands Beyond Microsoft 365 to Target
The Kali365 Phishing-as-a-Service (PhaaS) operation, previously known for targeting Microsoft 365 credentials, has significantly broadened its scope. A <a...
The Kali365 Phishing-as-a-Service (PhaaS) operation, previously known for targeting Microsoft 365 credentials, has significantly broadened its scope. A <a href='https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/111460
Kali365, a phishing-as-a-service (PhaaS) platform first spotted in April 2026, was initially built to steal Microsoft 365 login tokens by tricking users into authorizing fake device login requests.
Now it has grown into something much bigger, going after Okta single sign-on systems, Russian messaging platform MAX Messenger, and dozens of other services.
The platform works by abusing a legitimate Microsoft login process called the OAuth 2.0 device authorization flow.
This method was originally designed for devices like smart TVs and printers that cannot support standard logins.
Kali365 exploits this by generating a real Microsoft login code, embedding it in a fake document-sharing page, and waiting for the victim to enter it on the actual Microsoft site.
Once that happens, the attacker quietly receives a working login token without ever needing the victim’s password or MFA code.
.webp)
Analysts at Arctic Wolf tracked this operation and mapped out its full reach. Arctic Wolf said in a report shared with Cyber Security News (CSN), “Arctic Wolf has observed a significant expansion of the phishing-as-a-service operation Kali365, which abuses Microsoft’s OAuth device authorization flow to bypass MFA.”
Their research uncovered a live command-and-control panel, a 126-host phishing cluster, and a new attack campaign targeting Russian users through MAX Messenger.
The FBI had already issued a public warning about Kali365 in May 2026, calling it a low-barrier tool that gives less-technical attackers access to AI-generated phishing lures and real-time victim tracking dashboards.
The platform is sold on Telegram for roughly $250 per month, paid in Bitcoin, making it accessible to a wide range of threat actors. That accessibility is exactly what makes this operation so dangerous for security teams around the world.
Kali365 PhaaS Operation Expands Beyond Microsoft 365
The same operator behind the original Microsoft 365 campaign has now branched into a multi-brand phishing operation.
.webp)
Researchers found 126 malicious hosts, all running the same kit, impersonating services like Okta SSO, Xerox DocuShare, LiveDrive, AWS naming patterns, GMX, and Russian platforms including Mail.ru, Yandex Disk, and Odnoklassniki.
This is not a collection of separate threats but one infrastructure rotating across many brand disguises. The most striking new addition is a campaign targeting MAX Messenger, Russia’s state-backed app with over 110 million registered users.
.webp)
The attacker set up a fake “prize claim” page on greatness-marketing[.]top, designed to look like a prize verification site.
Victims are prompted to enter their Russian phone number, then a real one-time password from MAX Messenger, and finally a two-factor code. All of it reaches the attacker in real time through a Telegram bot named @NovosibyrskyMoneyBot.
Once a MAX account is taken over, the attacker gains access to messages, media files, and the victim’s full contact list. That contact list then becomes the next wave of targets, as the compromised account spreads the same prize lure to everyone in it.
![The greatness-marketing[.]top phishing “prize claim” page asks for the victim’s Russian (+7) phone number (Source - Arctic Wolf)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5kdn2M6vB-ntiia74oMZSihRn7sznrOcuvXP2EeCRV73DTpl1IPkBOu54K_68Rfc03AJcrCpZyQYUfp9WTsgv6PvBRkfbQGQO_I7B9-TOAbtuK_S8-V0wiZWuvKRKEqrCiZHzrK-WuiO3hqxC-Tsa5u3Upfto01xttyJjILQPD5Cm_IVXnw9SIFd_g-I/s16000/The%20greatness-marketing%5B.%5Dtop%20phishing%20%E2%80%9Cprize%20claim%E2%80%9D%20page%20asks%20for%20the%20victim%E2%80%99s%20Russian%20(+7)%20phone%20number%20(Source%20-%20Arctic%20Wolf).webp)
This propagation model mirrors long-running scam tactics on Telegram, but applied here at the scale of one of the largest messaging platforms in the Russian-speaking world.
Defenders Must Act Fast
Arctic Wolf’s researchers recommend treating panel[.]securehubcloud[.]com as a confirmed command-and-control address.
Any outbound connection from a company network to that host is a strong sign that a device has loaded an active Kali365 phishing page. Security teams should block that endpoint at the network level and set up immediate alerts.
Blocking the entire attachedfile[.]com domain family is also advised, as all 39 observed subdomains were found serving the same phishing kit.
%20into%20a%20six-digit%20OTP%20grid%20(Source%20-%20Arctic%20Wolf).webp)
For Microsoft 365 environments, disabling the device code authentication flow through a Conditional Access policy is one of the most effective steps available.
Organizations should also monitor for suspicious post-authentication behavior like mass contact exports or inbox access from unfamiliar locations. Security awareness training remains essential so users can recognize unexpected login prompts before it is too late.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | panel[.]securehubcloud[.]com | Kali365 C2 sign-in panel |
| Domain | api[.]securehubcloud[.]com | Kali365 C2 API endpoint |
| Domain | boss[.]securehubcloud[.]com | Kali365 C2 subdomain |
| Domain | open-box-rpps[.]jeff-1fd[.]workers[.]dev | Active Kali365 device-code phishing page |
| Domain | greatness-marketing[.]top | MAX Messenger fake “prize claim” phishing page |
| Domain | attachedfile[.]com | Shared cPanel host serving phishing kit (all 39 subdomains malicious) |
| Domain | tk[.]mowell[.]tech | Tracking pixel host used for affiliate-style conversion telemetry |
| IP Address | 172[.]67[.]156[.]83 | Cloudflare-fronted IP hosting securehubcloud[.]com infrastructure (AS13335) |
| IP Address | 104[.]21[.]32[.]229 | Cloudflare-fronted IP hosting securehubcloud[.]com infrastructure (AS13335) |
| TLS Certificate SHA1 | 6894a51278ec89118276c2dd2dc36e6f9ea2790a | C2 TLS certificate fingerprint used to pivot on K365 Control infrastructure |
| HTTP Banner Hash | febb622cd9eeb5c8860dcef4cbfd4b74 | Response signature shared by all 126 phishing hosts in the cluster |
| Telegram Bot Token | 8535071077:AAFus1ccm-puZ2htZkpKP_UyZfp3FTHFCzg | Telegram bot used to exfiltrate MAX Messenger credentials |
| Telegram Bot Username | @NovosibyrskyMoneyBot (sova_novosibirsk_bot) | Credential exfiltration bot; forwards phone numbers, OTPs, and 2FA passwords |
| Telegram Chat ID | -5035652280 | Destination chat for all exfiltrated MAX Messenger credentials |
| Affiliate/Session ID | 2091010 | Hardcoded SID mapping phishing page to operator’s C2 tenant |
| Page Title String | K365 Control | Internal C2 branding used as hunting fingerprint |
| Content String | “Preparing your secure document…” | Stable HTML string present across the 126-host phishing cluster; usable as VirusTotal hunt query |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.