Kali365 PhaaS Operation Expands Beyond Microsoft 365 to Target Okta and MAX Messenger

A new and fast-growing phishing operation is making waves in the cybersecurity world, and it is moving far beyond its original targets.

Kali365, a phishing-as-a-service (PhaaS) platform first spotted in April 2026, was initially built to steal Microsoft 365 login tokens by tricking users into authorizing fake device login requests.

Now it has grown into something much bigger, going after Okta single sign-on systems, Russian messaging platform MAX Messenger, and dozens of other services.

The platform works by abusing a legitimate Microsoft login process called the OAuth 2.0 device authorization flow.

This method was originally designed for devices like smart TVs and printers that cannot support standard logins.

Kali365 exploits this by generating a real Microsoft login code, embedding it in a fake document-sharing page, and waiting for the victim to enter it on the actual Microsoft site.

Once that happens, the attacker quietly receives a working login token without ever needing the victim’s password or MFA code.

Analysts at Arctic Wolf tracked this operation and mapped out its full reach. Arctic Wolf said in a report shared with Cyber Security News (CSN), “Arctic Wolf has observed a significant expansion of the phishing-as-a-service operation Kali365, which abuses Microsoft’s OAuth device authorization flow to bypass MFA.” 

Their research uncovered a live command-and-control panel, a 126-host phishing cluster, and a new attack campaign targeting Russian users through MAX Messenger.

The FBI had already issued a public warning about Kali365 in May 2026, calling it a low-barrier tool that gives less-technical attackers access to AI-generated phishing lures and real-time victim tracking dashboards.

The platform is sold on Telegram for roughly $250 per month, paid in Bitcoin, making it accessible to a wide range of threat actors. That accessibility is exactly what makes this operation so dangerous for security teams around the world.

Kali365 PhaaS Operation Expands Beyond Microsoft 365

The same operator behind the original Microsoft 365 campaign has now branched into a multi-brand phishing operation.

Researchers found 126 malicious hosts, all running the same kit, impersonating services like Okta SSO, Xerox DocuShare, LiveDrive, AWS naming patterns, GMX, and Russian platforms including Mail.ru, Yandex Disk, and Odnoklassniki.

This is not a collection of separate threats but one infrastructure rotating across many brand disguises.

The attacker set up a fake “prize claim” page on greatness-marketing[.]top, designed to look like a prize verification site.

Victims are prompted to enter their Russian phone number, then a real one-time password from MAX Messenger, and finally a two-factor code. All of it reaches the attacker in real time through a Telegram bot named @NovosibyrskyMoneyBot.

Once a MAX account is taken over, the attacker gains access to messages, media files, and the victim’s full contact list. That contact list then becomes the next wave of targets, as the compromised account spreads the same prize lure to everyone in it.

This propagation model mirrors long-running scam tactics on Telegram, but applied here at the scale of one of the largest messaging platforms in the Russian-speaking world.

Defenders Must Act Fast

Arctic Wolf’s researchers recommend treating panel[.]securehubcloud[.]com as a confirmed command-and-control address.

Any outbound connection from a company network to that host is a strong sign that a device has loaded an active Kali365 phishing page. Security teams should block that endpoint at the network level and set up immediate alerts.

Blocking the entire attachedfile[.]com domain family is also advised, as all 39 observed subdomains were found serving the same phishing kit.

For Microsoft 365 environments, disabling the device code authentication flow through a Conditional Access policy is one of the most effective steps available.

Organizations should also monitor for suspicious post-authentication behavior like mass contact exports or inbox access from unfamiliar locations. Security awareness training remains essential so users can recognize unexpected login prompts before it is too late.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
Domain	panel[.]securehubcloud[.]com	Kali365 C2 sign-in panel
Domain	api[.]securehubcloud[.]com	Kali365 C2 API endpoint
Domain	boss[.]securehubcloud[.]com	Kali365 C2 subdomain
Domain	open-box-rpps[.]jeff-1fd[.]workers[.]dev	Active Kali365 device-code phishing page
Domain	greatness-marketing[.]top	MAX Messenger fake “prize claim” phishing page
Domain	attachedfile[.]com	Shared cPanel host serving phishing kit (all 39 subdomains malicious)
Domain	tk[.]mowell[.]tech	Tracking pixel host used for affiliate-style conversion telemetry
IP Address	172[.]67[.]156[.]83	Cloudflare-fronted IP hosting securehubcloud[.]com infrastructure (AS13335)
IP Address	104[.]21[.]32[.]229	Cloudflare-fronted IP hosting securehubcloud[.]com infrastructure (AS13335)
TLS Certificate SHA1	6894a51278ec89118276c2dd2dc36e6f9ea2790a	C2 TLS certificate fingerprint used to pivot on K365 Control infrastructure
HTTP Banner Hash	febb622cd9eeb5c8860dcef4cbfd4b74	Response signature shared by all 126 phishing hosts in the cluster
Telegram Bot Token	8535071077:AAFus1ccm-puZ2htZkpKP_UyZfp3FTHFCzg	Telegram bot used to exfiltrate MAX Messenger credentials
Telegram Bot Username	@NovosibyrskyMoneyBot (sova_novosibirsk_bot)	Credential exfiltration bot; forwards phone numbers, OTPs, and 2FA passwords
Telegram Chat ID	-5035652280	Destination chat for all exfiltrated MAX Messenger credentials
Affiliate/Session ID	2091010	Hardcoded SID mapping phishing page to operator’s C2 tenant
Page Title String	K365 Control	Internal C2 branding used as hunting fingerprint
Content String	“Preparing your secure document…”	Stable HTML string present across the 126-host phishing cluster; usable as VirusTotal hunt query

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.