The cybersecurity landscape faces new challenges as the Kali365 phishing-as-a-service (PhaaS) operation broadens its scope. Initially focused on exploiting Microsoft 365, the platform now targets a wider array of services, including Okta and Russia’s MAX Messenger. This expansion poses a significant threat to global cybersecurity efforts.
Growing Reach of Kali365
First identified in April 2026, Kali365 was designed to exploit Microsoft 365 login tokens. By tricking users into authorizing fake device login requests, attackers could gain unauthorized access. Recent developments show that Kali365’s tactics have evolved, now targeting Okta’s single sign-on systems and the Russian messaging platform MAX Messenger, among others.
The platform leverages the OAuth 2.0 device authorization flow, originally intended for devices like smart TVs. Kali365 manipulates this process by embedding legitimate Microsoft login codes into counterfeit document-sharing pages, prompting victims to enter their credentials on Microsoft’s actual site. This cunning approach allows attackers to obtain login tokens without needing passwords or MFA codes.
Arctic Wolf’s Investigation
Cybersecurity firm Arctic Wolf has been tracking Kali365’s operations, documenting its extensive reach. A report shared with Cyber Security News (CSN) highlights a significant expansion of the PhaaS service, which now includes a live command-and-control panel and a phishing cluster of 126 hosts. The campaign’s latest target is MAX Messenger, a state-backed Russian app with over 110 million users.
The FBI had previously alerted the public about Kali365, describing it as a low-barrier tool that democratizes access to sophisticated phishing techniques. At a subscription cost of $250 per month, paid in Bitcoin, the platform is accessible to a wide range of cybercriminals, compounding the threat it poses.
Implications for Cybersecurity
Security experts urge immediate action to counter the Kali365 threat. Arctic Wolf recommends blocking specific domains, such as panel[.]securehubcloud[.]com, and monitoring for suspicious network activity. For organizations using Microsoft 365, disabling the device code authentication flow through Conditional Access policies is advisable.
Additionally, security awareness training remains crucial. Educating users to recognize and report unexpected login prompts can prevent unauthorized access. The propagation model used by Kali365, similar to long-standing Telegram scams, highlights the need for vigilance and robust cybersecurity measures.
As the Kali365 operation continues to evolve, organizations must stay informed and proactive. The potential impact on services like Okta and MAX Messenger underscores the importance of comprehensive cybersecurity strategies to mitigate emerging threats.
