From Token Bingo to MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, and Other Services
The Kali365 phishing-as-a-service operation has significantly expanded its targeting beyond Microsoft 365 to include multiple platforms such as Microsoft Outlook, Okta SSO, Xerox DocuShare, and Russian consumer platforms like MAX Messenger. The operator abuses OAuth 2. 0 device authorization flows to bypass multi-factor authentication (MFA) and steal authentication tokens. The campaign uses a live command-and-control panel and a multi-tenant phishing platform distributed via Telegram channels. It impersonates legitimate services through a cluster of 126 malicious hosts and employs Telegram bots for credential exfiltration. This operation focuses on both Western enterprise targets and Russian consumer platforms, including a phishing campaign mimicking MAX Messenger with fake prize-claim flows.
AI Analysis
Technical Summary
Kali365 is a phishing-as-a-service operation that abuses OAuth 2.0 device authorization flows to bypass MFA protections and steal authentication tokens. It has expanded its scope to target a wide range of platforms including Microsoft Outlook, Okta SSO, Xerox DocuShare, and Russian services such as MAX Messenger, Mail.ru, Yandex Disk, and Odnoklassniki. The operation features a live command-and-control infrastructure and uses Telegram bots for exfiltrating credentials. A notable tactic includes impersonating MAX Messenger via fake prize-claim phishing flows. The campaign operates through a multi-tenant phishing platform with over 126 malicious hosts impersonating legitimate services, demonstrating a dual focus on Western enterprise and Russian consumer targets.
Potential Impact
This phishing campaign enables attackers to bypass MFA by abusing OAuth 2.0 device authorization flows, resulting in theft of authentication tokens. Compromised tokens can allow unauthorized access to targeted accounts across multiple platforms, including enterprise and consumer services. The operation's use of Telegram bots for credential exfiltration and a large network of malicious hosts increases the scale and persistence of the threat. The targeting of both Western and Russian platforms broadens the potential victim base and impact.
Mitigation Recommendations
No official patch or fix is available as this is a phishing-as-a-service operation exploiting OAuth 2.0 protocol misuse rather than a software vulnerability. Organizations should educate users about phishing risks, especially regarding OAuth device code authorization prompts. Monitoring for suspicious OAuth consent grants and unusual token activity is advised. Implementing conditional access policies that restrict OAuth app permissions and using security tools capable of detecting OAuth abuse can help mitigate risk. Since this is a social engineering and protocol abuse threat, technical controls combined with user awareness are key. Patch status is not yet confirmed — check vendor advisories of targeted platforms for any updates or guidance.
Indicators of Compromise
- domain: attachedfile.com
- hash: febb622cd9eeb5c8860dcef4cbfd4b74
- hash: 6894a51278ec89118276c2dd2dc36e6f9ea2790a
- url: http://panel.securehubcloud.com/login
- domain: greatness-marketing.top
- domain: securehubcloud.com
- domain: api.securehubcloud.com
- domain: boss.securehubcloud.com
- domain: panel.securehubcloud.com
From Token Bingo to MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, and Other Services
Description
The Kali365 phishing-as-a-service operation has significantly expanded its targeting beyond Microsoft 365 to include multiple platforms such as Microsoft Outlook, Okta SSO, Xerox DocuShare, and Russian consumer platforms like MAX Messenger. The operator abuses OAuth 2. 0 device authorization flows to bypass multi-factor authentication (MFA) and steal authentication tokens. The campaign uses a live command-and-control panel and a multi-tenant phishing platform distributed via Telegram channels. It impersonates legitimate services through a cluster of 126 malicious hosts and employs Telegram bots for credential exfiltration. This operation focuses on both Western enterprise targets and Russian consumer platforms, including a phishing campaign mimicking MAX Messenger with fake prize-claim flows.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Kali365 is a phishing-as-a-service operation that abuses OAuth 2.0 device authorization flows to bypass MFA protections and steal authentication tokens. It has expanded its scope to target a wide range of platforms including Microsoft Outlook, Okta SSO, Xerox DocuShare, and Russian services such as MAX Messenger, Mail.ru, Yandex Disk, and Odnoklassniki. The operation features a live command-and-control infrastructure and uses Telegram bots for exfiltrating credentials. A notable tactic includes impersonating MAX Messenger via fake prize-claim phishing flows. The campaign operates through a multi-tenant phishing platform with over 126 malicious hosts impersonating legitimate services, demonstrating a dual focus on Western enterprise and Russian consumer targets.
Potential Impact
This phishing campaign enables attackers to bypass MFA by abusing OAuth 2.0 device authorization flows, resulting in theft of authentication tokens. Compromised tokens can allow unauthorized access to targeted accounts across multiple platforms, including enterprise and consumer services. The operation's use of Telegram bots for credential exfiltration and a large network of malicious hosts increases the scale and persistence of the threat. The targeting of both Western and Russian platforms broadens the potential victim base and impact.
Mitigation Recommendations
No official patch or fix is available as this is a phishing-as-a-service operation exploiting OAuth 2.0 protocol misuse rather than a software vulnerability. Organizations should educate users about phishing risks, especially regarding OAuth device code authorization prompts. Monitoring for suspicious OAuth consent grants and unusual token activity is advised. Implementing conditional access policies that restrict OAuth app permissions and using security tools capable of detecting OAuth abuse can help mitigate risk. Since this is a social engineering and protocol abuse threat, technical controls combined with user awareness are key. Patch status is not yet confirmed — check vendor advisories of targeted platforms for any updates or guidance.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://arcticwolf.com/resources/blog/kali365-expands-into-aws-microsoft-okta-xerox-max-messenger/"]
- Adversary
- null
- Pulse Id
- 6a1f29d52e7ef5590675949f
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainattachedfile.com | — | |
domaingreatness-marketing.top | — | |
domainsecurehubcloud.com | — | |
domainapi.securehubcloud.com | — | |
domainboss.securehubcloud.com | — | |
domainpanel.securehubcloud.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashfebb622cd9eeb5c8860dcef4cbfd4b74 | — | |
hash6894a51278ec89118276c2dd2dc36e6f9ea2790a | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://panel.securehubcloud.com/login | — |
Threat ID: 6a1ff4f1e29bf47b5098b4b2
Added to database: 6/3/2026, 9:33:37 AM
Last enriched: 6/3/2026, 9:48:27 AM
Last updated: 6/3/2026, 5:16:57 PM
Views: 29
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.