Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

​​Kratos PhaaS Targets US and EU: How to Reduce Microsoft 365 Account Takeover Risk​

0
Medium
Published: 07/14/2026 (07/14/2026, 16:36:39 UTC)
Source: AlienVault OTX General

Description

Kratos is a phishing-as-a-service (PhaaS) operation targeting Microsoft 365 users primarily in the United States, Spain, and Southern Europe. It enables attackers to steal credentials via convincing phishing pages, anti-bot verification, and trusted platform mimicry. The platform includes an operator panel for deploying phishing domains, configuring delivery methods, and applying geographic restrictions. The kit has evolved through three versions with different exfiltration methods and has been active since early 2026. This campaign poses a medium severity risk of credential theft and account takeover for affected organizations.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/16/2026, 10:32:40 UTC

Technical Analysis

Kratos is a mature phishing-as-a-service platform facilitating credential theft from Microsoft 365 users. It operates by deploying phishing domains with sophisticated anti-bot measures and convincing login pages to harvest credentials. The service includes an operator panel that allows attackers to manage phishing campaigns, configure delivery via Telegram or email, and restrict targets geographically. Researchers identified three generations of the phishing kit (V0, V1, V2) with distinct exfiltration code and traced 1,484 unique phishing events. The campaign has been active since January 2026, with the operator panel active since September 2025. The operation targets organizations in over 20 countries, with a concentration in the US, Spain, and Southern Europe.

Potential Impact

Successful exploitation results in theft of Microsoft 365 credentials, enabling attackers to perform account takeover. This can lead to unauthorized access to sensitive organizational data, potential lateral movement, and further compromise within targeted environments. The campaign's use of anti-bot verification and trusted platform mimicry increases the likelihood of successful credential harvesting.

Mitigation Recommendations

No official patch or fix applies as this is a phishing campaign rather than a software vulnerability. Organizations should implement multi-factor authentication (MFA) for Microsoft 365 accounts to reduce the risk of account takeover. User awareness training to recognize phishing attempts and the use of email filtering solutions to detect and block phishing emails are recommended. Monitoring for suspicious login activity and promptly responding to credential compromise can further mitigate impact.

Affected Countries

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://any.run/cybersecurity-blog/kratos-phaas-account-takeover/"]
Adversary
null
Pulse Id
6a566597c655f8331b4e00ad
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domainbuenne.de
domainenerdizerandtron.de
domainihrsupportcenter.de
domainrundwasser.de
domainsonnenbrillenspot.de
domaindwbud.vilaribit.com
domainabal.my
domainstarwellmedia.com
domainaabiz.de
domainaspireglobal.ltd
domaindufllot.sbs
domainespaciocf.de
domainilersls.org
domainaaalen.de
domainsmartcontrolengineer.com
domaintrisrnareprjdocz.com
domainrazen.online
domaintheoceanac.online
domainjumpast.es
domaincrm-technik.de
domainklenpare.com
domainuvarnix.cfd
domainxavon.sbs

Ip

ValueDescriptionCopy
ip41.128.0.142

Threat ID: 6a58afc168715ace43cee4aa

Added to database: 07/16/2026, 10:17:37 UTC

Last enriched: 07/16/2026, 10:32:40 UTC

Last updated: 07/16/2026, 19:32:38 UTC

Views: 17

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses