Kratos PhaaS Targets US and EU: How to Reduce Microsoft 365 Account Takeover Risk
Kratos is a phishing-as-a-service (PhaaS) operation targeting Microsoft 365 users primarily in the United States, Spain, and Southern Europe. It enables attackers to steal credentials via convincing phishing pages, anti-bot verification, and trusted platform mimicry. The platform includes an operator panel for deploying phishing domains, configuring delivery methods, and applying geographic restrictions. The kit has evolved through three versions with different exfiltration methods and has been active since early 2026. This campaign poses a medium severity risk of credential theft and account takeover for affected organizations.
AI Analysis
Technical Summary
Kratos is a mature phishing-as-a-service platform facilitating credential theft from Microsoft 365 users. It operates by deploying phishing domains with sophisticated anti-bot measures and convincing login pages to harvest credentials. The service includes an operator panel that allows attackers to manage phishing campaigns, configure delivery via Telegram or email, and restrict targets geographically. Researchers identified three generations of the phishing kit (V0, V1, V2) with distinct exfiltration code and traced 1,484 unique phishing events. The campaign has been active since January 2026, with the operator panel active since September 2025. The operation targets organizations in over 20 countries, with a concentration in the US, Spain, and Southern Europe.
Potential Impact
Successful exploitation results in theft of Microsoft 365 credentials, enabling attackers to perform account takeover. This can lead to unauthorized access to sensitive organizational data, potential lateral movement, and further compromise within targeted environments. The campaign's use of anti-bot verification and trusted platform mimicry increases the likelihood of successful credential harvesting.
Mitigation Recommendations
No official patch or fix applies as this is a phishing campaign rather than a software vulnerability. Organizations should implement multi-factor authentication (MFA) for Microsoft 365 accounts to reduce the risk of account takeover. User awareness training to recognize phishing attempts and the use of email filtering solutions to detect and block phishing emails are recommended. Monitoring for suspicious login activity and promptly responding to credential compromise can further mitigate impact.
Affected Countries
United States, Spain
Indicators of Compromise
- domain: buenne.de
- domain: enerdizerandtron.de
- domain: ihrsupportcenter.de
- domain: rundwasser.de
- domain: sonnenbrillenspot.de
- domain: dwbud.vilaribit.com
- domain: abal.my
- domain: starwellmedia.com
- domain: aabiz.de
- domain: aspireglobal.ltd
- domain: dufllot.sbs
- domain: espaciocf.de
- domain: ilersls.org
- domain: aaalen.de
- domain: smartcontrolengineer.com
- domain: trisrnareprjdocz.com
- domain: razen.online
- domain: theoceanac.online
- domain: jumpast.es
- ip: 41.128.0.142
- domain: crm-technik.de
- domain: klenpare.com
- domain: uvarnix.cfd
- domain: xavon.sbs
Kratos PhaaS Targets US and EU: How to Reduce Microsoft 365 Account Takeover Risk
Description
Kratos is a phishing-as-a-service (PhaaS) operation targeting Microsoft 365 users primarily in the United States, Spain, and Southern Europe. It enables attackers to steal credentials via convincing phishing pages, anti-bot verification, and trusted platform mimicry. The platform includes an operator panel for deploying phishing domains, configuring delivery methods, and applying geographic restrictions. The kit has evolved through three versions with different exfiltration methods and has been active since early 2026. This campaign poses a medium severity risk of credential theft and account takeover for affected organizations.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Kratos is a mature phishing-as-a-service platform facilitating credential theft from Microsoft 365 users. It operates by deploying phishing domains with sophisticated anti-bot measures and convincing login pages to harvest credentials. The service includes an operator panel that allows attackers to manage phishing campaigns, configure delivery via Telegram or email, and restrict targets geographically. Researchers identified three generations of the phishing kit (V0, V1, V2) with distinct exfiltration code and traced 1,484 unique phishing events. The campaign has been active since January 2026, with the operator panel active since September 2025. The operation targets organizations in over 20 countries, with a concentration in the US, Spain, and Southern Europe.
Potential Impact
Successful exploitation results in theft of Microsoft 365 credentials, enabling attackers to perform account takeover. This can lead to unauthorized access to sensitive organizational data, potential lateral movement, and further compromise within targeted environments. The campaign's use of anti-bot verification and trusted platform mimicry increases the likelihood of successful credential harvesting.
Mitigation Recommendations
No official patch or fix applies as this is a phishing campaign rather than a software vulnerability. Organizations should implement multi-factor authentication (MFA) for Microsoft 365 accounts to reduce the risk of account takeover. User awareness training to recognize phishing attempts and the use of email filtering solutions to detect and block phishing emails are recommended. Monitoring for suspicious login activity and promptly responding to credential compromise can further mitigate impact.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://any.run/cybersecurity-blog/kratos-phaas-account-takeover/"]
- Adversary
- null
- Pulse Id
- 6a566597c655f8331b4e00ad
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainbuenne.de | — | |
domainenerdizerandtron.de | — | |
domainihrsupportcenter.de | — | |
domainrundwasser.de | — | |
domainsonnenbrillenspot.de | — | |
domaindwbud.vilaribit.com | — | |
domainabal.my | — | |
domainstarwellmedia.com | — | |
domainaabiz.de | — | |
domainaspireglobal.ltd | — | |
domaindufllot.sbs | — | |
domainespaciocf.de | — | |
domainilersls.org | — | |
domainaaalen.de | — | |
domainsmartcontrolengineer.com | — | |
domaintrisrnareprjdocz.com | — | |
domainrazen.online | — | |
domaintheoceanac.online | — | |
domainjumpast.es | — | |
domaincrm-technik.de | — | |
domainklenpare.com | — | |
domainuvarnix.cfd | — | |
domainxavon.sbs | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip41.128.0.142 | — |
Threat ID: 6a58afc168715ace43cee4aa
Added to database: 07/16/2026, 10:17:37 UTC
Last enriched: 07/16/2026, 10:32:40 UTC
Last updated: 07/16/2026, 19:32:38 UTC
Views: 17
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.