Kali365 PhaaS Expands Targeting Microsoft, Okta, DocuShare, AWS, MAX Messenger
Published
Key Takeaways
- PhaaS Expansion: Arctic Wolf Labs observed Kali365 significantly expanding its Phishing-as-a-Service infrastructure across multiple platforms and brands.
- MAX Messenger Targeted: A fake prize-claim flow was deployed to steal Russian MAX Messenger credentials, defeating both SMS-OTP and 2FA.
- 126-Host Cluster: A single kit infrastructure serves 126 malicious hosts impersonating Microsoft, Okta SSO, Xerox DocuShare, AWS, and Russian service MAX.
Arctic Wolf Labs has published new findings on Kali365, a Phishing-as-a-Service (PhaaS) operation first seen in April 2026 and also referred to as K365. The platform abuses Microsoft's OAuth device authorization flow to bypass MFA, and Arctic Wolf has observed a significant expansion of its infrastructure and target scope.
Live C2 Panel and Infrastructure Mapping
The new findings include the operator's full panel infrastructure, which includes a live command-and-control (C2) panel for token capture status, hosted at panel.securehubcloud.com/login.
Arctic Wolf found that active phishing pages poll panel.securehubcloud.com every three seconds to detect when a victim completes the OAuth flow and tokens are captured. A banner-hash pivot uncovered a cluster of 126 malicious hosts, all serving the same kit template and active between May 6 and May 27, 2026.
These hosts impersonate:
- Microsoft Outlook,
- Microsoft Live,
- Okta SSO,
- Xerox DocuShare,
- LiveDrive,
- AWS naming conventions, including vpce. and apm.,
- German email provider GMX,
- Mail.ru,
- social networking service Odnoklassniki,
- cloud storage provider Disk.
MAX Messenger Account Takeover Campaign
Arctic Wolf identified a phishing page impersonating MAX Messenger, Russia's state-backed national messenger, designed to execute account takeovers through a fake prize-claim flow. The page requests a victim's Russian +7 phone number, then a one-time password (OTP) generated by the real MAX Messenger backend, and if enabled, a 2FA password.
![The greatness-marketing[.]top phishing “prize claim” page asks for the victim’s Russian (+7) phone number | Source: Arctic Wolf](https://cdn.technadu.com/wp-content/uploads/2026/06/image-6-1024x574.png)
![The greatness-marketing[.]top phishing “prize claim” page asks for the victim’s Russian (+7) phone number | Source: Arctic Wolf](https://cdn.technadu.com/wp-content/uploads/2026/06/image-6.png)
Arctic Wolf stated that this defeats both SMS-OTP and two-factor authentication (2FA) on the real MAX account in a single interaction. Stolen credentials are exfiltrated in real time via Telegram bot @NovosibyrskyMoneyBot.
Defender Recommendations
The report assesses the same operator behind the OneDrive device-code phishing is now running a multi-brand operation with a notable focus on Russian services platforms. Arctic Wolf recommends treating panel.securehubcloud.com as a high-confidence C2, as well as:
- hunting for the phrase "Preparing your secure document…",
- blocking *.attachedfile.com,
- restricting device-code authentication in Microsoft 365 where possible,
- monitoring or blocking Telegram connections from corporate networks.
Last month, a Russian researcher alleged that the MAX app includes surveillance features and VPN detection capabilities. The country restricted access to Telegram in February to promote MAX.
Okta SSO accounts were targeted in an alleged ShinyHunters January phishing campaign that used custom PhaaS kits.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular