Kali365
Kali365, also referred to as K365, is an emerging phishing-as-a-service (PhaaS) platform first observed in April 2026 and promoted largely through Telegram. It was flagged by the FBI in May 2026. The platform initially focused on Microsoft 365 account compromise by abusing Microsoft’s OAuth 2.0 device authorization flow to obtain valid access and refresh tokens after victims authenticate through legitimate Microsoft endpoints, allowing operators and affiliates to bypass MFA without directly stealing passwords or MFA codes. Reported capabilities include AI-generated phishing lures, automated campaign templates, real-time victim tracking dashboards, and OAuth token capture. Pricing reported in the content is about US $250 per month or US $2,000 per year, with Bitcoin accepted. Arctic Wolf reported that the same operator expanded Kali365 beyond Microsoft 365 into a broader multi-brand phishing operation. Observed impersonated targets and brands include Microsoft Outlook, Microsoft Live, Okta SSO, Xerox DocuShare, LiveDrive, GMX, AWS-style naming patterns, Mail.ru, Yandex Disk, Odnoklassniki, and MAX Messenger. In the Microsoft-focused workflow, Kali365 phishing pages embed legitimate Microsoft device login codes and direct victims to the real Microsoft device login endpoint, after which issued OAuth tokens are delivered to the attacker’s application. Arctic Wolf identified a live command-and-control panel at panel[.]securehubcloud[.]com, related subdomains including api[.]securehubcloud[.]com and boss[.]securehubcloud[.]com, operator branding as “K365 Control,” and a 126-host phishing cluster active in May 2026 that served the same kit. The content also describes a MAX Messenger account takeover campaign attributed to the same Kali365 operator. That campaign used a fake prize-confirmation page at greatness-marketing[.]top to collect Russian phone numbers, one-time passwords, and optional 2FA passwords, with captured data exfiltrated in real time via the Telegram bot @NovosibyrskyMoneyBot (username sova_novosibirsk_bot). Arctic Wolf assessed that compromised MAX Messenger accounts gave attackers access to messages, media, files, and contact lists, which were then used to propagate additional phishing lures. The reporting characterizes Kali365 as a scalable, affiliate-style criminal phishing platform rather than a nation-state actor.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Software & Services
- Telecommunication Services
Where they target
Geographies tied to known operations.
- 🇷🇺 Russia
Tradecraft
15 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A phishing-as-a-service operation that began by stealing Microsoft 365 login tokens via OAuth 2.0 device authorization flow abuse and expanded to impersonate multiple brands and target services including Okta SSO and MAX Messenger. It provides AI-generated phishing lures, real-time victim tracking, and credential/token theft capabilities to a broad range of attackers.
A phishing-as-a-service operation abusing Microsoft OAuth 2.0 device authorization flow to steal Entra ID/Microsoft 365 tokens, while also expanding into a multi-brand phishing operation including MAX Messenger account takeover campaigns focused on Russian consumer platforms and Western enterprise brands.
A phishing-as-a-service operation abusing Microsoft OAuth 2.0 device authorization flow to steal Entra ID tokens and expanding its operation and infrastructure across services including Microsoft Outlook, Okta, and Xerox DocuShare.
A phishing-as-a-service operation abusing Microsoft OAuth 2.0 device authorization flow to steal Entra ID/Microsoft 365 tokens, while also expanding into multi-brand phishing and MAX Messenger account takeover campaigns.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.