Kratos, a sophisticated phishing-as-a-service (PhaaS) platform, is increasingly targeting Microsoft 365 users across the globe. This operation effectively deceives victims by mimicking document sharing and invoice notifications, ultimately leading them to counterfeit login screens.
Widespread Impact on Organizations
The Kratos campaign poses a significant threat to a diverse array of entities, including small enterprises, legal practices, educational institutions, industrial companies, and government bodies. Once a Microsoft 365 account is compromised, attackers can access a wealth of sensitive information, such as emails, files in SharePoint and OneDrive, and financial discussions, which can be exploited for fraudulent purposes.
According to analysts from ANY.RUN, three versions of Kratos have been identified, with the latest iterations being observed over 1,600 times in sandbox environments. The Kratos service, first noted in January 2026, has been operational since September 2025, simplifying the deployment of phishing attacks through a user-friendly panel that manages domain setup, data collection, geographic targeting, and anti-bot measures.
Phishing Techniques and Delivery Methods
Kratos initiates attacks with emails that imply a document has been shared, an invoice requires attention, or a DocuSign process is pending. These emails frequently bypass corporate filters, posing a persistent threat due to their familiar appearance. The emails often redirect victims through legitimate platforms before landing them on credential-stealing sites.
SharePoint and OneDrive are commonly used pathways, though attackers also leverage services like Microsoft Forms, Canva, and Tilda to make their phishing chain appear authentic. Before displaying a fake Microsoft login page, Kratos often presents a Cloudflare Turnstile screen to deter automated defenses.
Detection and Defensive Strategies
Kratos has evolved from simple phishing tactics to more sophisticated methods that closely resemble Microsoft’s sign-in pages. Versions V1 and V2 employ distinct assets and domain connections, with specific file pairings like barr.svg and lg.svg serving as reliable indicators for threat detection efforts.
Security teams are advised to analyze asset requests, page behaviors, and credential collection methods rather than relying on isolated signals, as domain rotation is a common evasion tactic among attackers. While blocking attacker-controlled domains is essential, reviewing shared domains is crucial to avoid disrupting legitimate services.
In cases of credential harvesting, immediate password resets and multifactor authentication checks are necessary. For advanced threats like attacker-in-the-middle phishing, revoking active sessions, refreshing tokens, and investigating suspicious sign-ins are recommended actions to secure affected accounts.
To bolster security operations, integrating advanced threat detection tools like ANY.RUN with existing systems can enhance rapid investigations and improve response times.
