EXECUTIVE SUMMARY
The threat actor behind the current campaign is the group operating the Kali365 phishing‑as‑a‑service platform. This campaign blends credential‑theft and token‑theft techniques, abusing Microsoft’s OAuth device‑authorization flow to bypass multifactor authentication. Targets include enterprise cloud services such as Microsoft 365 and Okta, document platforms like Xerox DocuShare, and high‑profile Russian consumer services including MAX Messenger, Mail.ru, Yandex Disk, and Odnoklassniki. The operator’s primary objective is to harvest valid access tokens that grant persistent control over victim accounts, enabling data exfiltration, service abuse, and lateral movement across compromised environments.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The threat actor behind the current campaign is the group operating the Kali365 phishing‑as‑a‑service platform. This campaign blends credential‑theft and token‑theft techniques, abusing Microsoft’s OAuth device‑authorization flow to bypass multifactor authentication. Targets include enterprise cloud services such as Microsoft 365 and Okta, document platforms like Xerox DocuShare, and high‑profile Russian consumer services including MAX Messenger, Mail.ru, Yandex Disk, and Odnoklassniki. The operator’s primary objective is to harvest valid access tokens that grant persistent control over victim accounts, enabling data exfiltration, service abuse, and lateral movement across compromised environments.[emaillocker id="1283"]
The infection chain begins with a phishing page that mimics legitimate login portals for Outlook, Okta, or MAX Messenger, embedding a device code supplied by the attacker’s malicious application. When a user enters the code on the genuine Microsoft device‑login site, Microsoft issues an access token and a refresh token directly to the attacker’s backend. The compromised token permits the adversary to impersonate the victim within cloud services, create persistence, and harvest additional credentials. Continuous polling of the attacker’s command‑and‑control endpoint confirms token capture, while the C2 panel provides real‑time status and enables further exploitation of the compromised accounts.
The campaign matters because it uses a legitimate authentication flow, making detection through traditional credential‑theft signatures difficult and allowing attackers to retain access even after password resets. Organizations that rely on Microsoft 365 or federated identity providers are especially exposed, and the rapid rotation of phishing domains hampers blacklist‑based defenses. Recommended mitigations include disabling the device‑code grant where it is not required, enforcing conditional‑access policies that restrict token issuance, monitoring outbound traffic to known C2 hosts, and ensuring robust backup and incident‑response processes. Regular security awareness training further reduces the likelihood that users will fall for the lure.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| Initial Access | T1566.003 | Phishing | Spearphishing via Service |
| Credential Access | T1528 | Steal Application Access Token | — |
| Initial Access | T1078 | Valid Accounts | — |
| Command and Control | T1102 | Web Service | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/kali365-phaas-operation-expands-beyond-microsoft-365/
https://arcticwolf.com/resources/blog/kali365-expands-into-aws-microsoft-okta-xerox-max-messenger/