Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
GPT-Red Tool Finds Prompt Injection Vulnerabilities in GPT 5.6 Sol
July 16, 2026
Kratos PhaaS Attacks Microsoft 365 Users to Steal Credentials
July 16, 2026
Critical Zoom Windows Flient Flaw Lets Attackers Take Over Accounts via Network
July 16, 2026
Home/Threats/Kratos PhaaS Attacks Microsoft 365 Users to Steal Credentials
Threats

Kratos PhaaS Attacks Microsoft 365 Users to Steal Credentials

Key Takeaways The Kratos PhaaS (Phishing-as-a-Service) platform is actively targeting Microsoft 365 users across the United States and Europe. The primary goal of these attacks is to steal user...

David kimber
David kimber
July 16, 2026 3 Min Read
2 0

Key Takeaways

  • The Kratos PhaaS (Phishing-as-a-Service) platform is actively targeting Microsoft 365 users across the United States and Europe.
  • The primary goal of these attacks is to steal user credentials through sophisticated phishing campaigns.
  • Kratos employs advanced techniques, including Adversary-in-the-Middle (AiTM) phishing, to bypass multi-factor authentication (MFA).
  • The service is continuously evolving, with researchers identifying two distinct versions (V1 and V2) of its phishing kits.
  • Organizations must implement robust detection and response strategies, including monitoring cloud infrastructure and promptly revoking compromised sessions.

A new Phishing-as-a-Service (PhaaS) platform, dubbed “Kratos,” is aggressively targeting Microsoft 365 users across the United States and Europe, aiming to compromise credentials and bypass multi-factor authentication (MFA). Cybersecurity researchers have identified this evolving threat, noting its sophisticated phishing kits and widespread operational reach.

Table Of Content

  • Key Takeaways
  • Kratos Phishing-as-a-Service: An Evolving Threat
  • Operational Mechanics and Attack Vectors
  • What You Should Do

Kratos Phishing-as-a-Service: An Evolving Threat

Kratos operates as a PhaaS offering, providing cybercriminals with the tools and infrastructure needed to launch large-scale phishing campaigns. The service is particularly effective against Microsoft 365 environments, leveraging meticulously crafted fake login pages to trick users into surrendering their credentials. Its reach extends across North America and Europe, indicating a broad and coordinated attack effort.

Researchers have observed two primary versions of the Kratos phishing kit in the wild. Kratos V1 utilizes specific file assets such as assets/img/barr.svg, assets/img/lg.svg, ani.gif, res.css, and styles.css for its phishing pages. The newer Kratos V2, demonstrating continuous development, incorporates assets like dsa.svg, sid.gif, imag.jpg, and main.js. Both versions share a common styles.css hash (c447e75f1029ed7a5882add16bcd13ad44be3bd47c93c830ff39185ebb), indicating a shared lineage and ongoing refinement by the Kratos operators. This evolution highlights the adaptive nature of the PhaaS platform, continually enhancing its tools to improve efficacy and evade detection.

Operational Mechanics and Attack Vectors

The Kratos platform facilitates credential harvesting through various exfiltration endpoints, including scripts named PTTSOftmini.php, next.php, nex.php, n3xt.php, officerseur.php, and save.php. These scripts are designed to capture and transmit submitted user credentials to the attackers. The infrastructure supporting Kratos includes a range of domains, such as abal[.]my, starwellmedia[.]com, aabiz[.]de, aspireglobal[.]ltd, buenne[.]de, dufllot[.]sbs, enerdizerandtron[.]de, espaciocf[.]de, ihrsupportcenter[.]de, ilersls[.]org, aaalen[.]de, rundwasser[.]de, smartcontrolengineer[.]com, sonnenbrillenspot[.]de, and trisrnareprjdocz[.]com. An early domain associated with the V0 PTTSOft iteration was identified as dwbud[.]vilaribit[.]com. The operators’ infrastructure has been traced to an IP address in Egypt: 41.128.0.142.

A significant concern with Kratos is its capability for Adversary-in-the-Middle (AiTM) phishing, which allows it to bypass traditional MFA protections. In an AiTM attack, the phishing site acts as a proxy, forwarding legitimate authentication requests to the actual service (e.g., Microsoft 365) and relaying the responses back to the user. This enables the attacker to intercept session cookies and authentication tokens, gaining unauthorized access even if the user has MFA enabled. This sophisticated technique makes Kratos a particularly dangerous threat, as it neutralizes a key security control.

What You Should Do

  • Report Compromised Sites: Immediately report any identified phishing websites to appropriate authorities for takedown.
  • Monitor Cloud Infrastructure: Implement continuous monitoring of broad cloud networks and Cloudflare infrastructure for suspicious activity. Avoid wholesale blocking, which could disrupt legitimate services.
  • Reset Passwords and Verify MFA: For basic credential harvesting incidents, promptly reset affected user passwords and thoroughly verify all multi-factor authentication settings.
  • Revoke Sessions and Refresh Tokens: In cases of suspected session theft or AiTM phishing, immediately revoke all active user sessions and refresh tokens.
  • Inspect Mailbox Rules and Sign-ins: Investigate unfamiliar sign-in attempts and scrutinize mailbox rules for any unauthorized changes, as attackers often create forwarding rules to maintain access or exfiltrate data. A password reset alone is insufficient for AiTM compromises.
  • Educate Users: Conduct regular security awareness training for all users, emphasizing the dangers of phishing, how to identify suspicious emails, and the importance of reporting anomalies.
  • Implement Advanced Threat Protection: Utilize advanced email security solutions and endpoint detection and response (EDR) tools capable of detecting and mitigating sophisticated phishing and AiTM attacks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackphishingThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Critical Zoom Windows Flient Flaw Lets Attackers Take Over Accounts via Network

Next Post

GPT-Red Tool Finds Prompt Injection Vulnerabilities in GPT 5.6 Sol

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
CISA Warns of Oracle E-Business Suite Vulnerability Actively Exploited in Attacks
July 16, 2026
Multiple Critical Splunk Enterprise Vulnerabilities Allow Path Traversal, Info Disclosure
July 16, 2026
F5 Patches Critical NGINX Vulnerabilities, Preventing Code Execution
July 16, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us