CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 03, 2026

FBI-Flagged Phishing Kit Kali365 Expands Its Reach

Dark Reading Archived Jun 03, 2026 ✓ Full text saved

Once targeting just Microsoft 365, the phishing-as-a-service platform now aims at AWS, Okta, and Russian platforms, while relying on device code phishing.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBER RISK CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE NEWS FBI-Flagged Phishing Kit Kali365 Expands Its Reach Once targeting just Microsoft 365, the phishing-as-a-service platform now aims at AWS, Okta, and Russian platforms, while relying on device code phishing. Jai Vijayan,Contributing Writer June 2, 2026 4 Min Read SOURCE: BABAR ALI 1233 VIA SHUTTERSTOCK The operators of Kali365, a phishing-as-a-service platform that drew considerable attention for helping attackers bypass multifactor authentication (MFA) on Microsoft 365 accounts, have significantly broadened both their capabilities and their target list. In a report released this week, Arctic Wolf described Kali365 as evolving from a purely Microsoft-focused phishing kit to a broader account-compromise platform that targets digital identities across AWS, Okta, Xerox DocuShare, and several Russian online services. The most notable among them is MAX Messenger, a Russian state-backed messaging platform with more than 80 million users that the Russian government has promoted as the country's national message service. A Dangerous Expansion in Targeting Kali365's expansion into MAX Messenger and other Russian online services suggests "a deliberate, consistent focus on Russian consumer-Internet platforms, alongside the operator's existing Western enterprise targets," Arctic Wolf said. "A phishing operator who can convert MAX account takeovers into propagation has access to one of the largest installed messaging bases in the Russian-speaking world." Related:Securing AI Agents Before They Go Rogue Is Next to Impossible Kali365 has emerged as one of the more prominent examples of a device code phishing kit in recent months. Device code phishing abuses the authentication workflow used by smart TVs, printers, and other devices when they lack a full browser or keyboard and require users to log in via a separate device. For example, it's the code that a streaming device like a Roku or Apple TV might display on a smart TV screen and which the user would then enter on their phone or computer to complete the login and link the two devices.   In a device code phishing attack, a threat actor generates a legitimate OAuth 2.0 device authorization request and then tricks a victim into entering the associated code on a legitimate login page, through a phishing email impersonating a shared OneDrive file or a security verification prompt, for example. Once the victim authenticates and completes any required MFA steps, the service — in Kali365's case initially Microsoft365 — issues access tokens to the attacker's session, granting the attacker access to the victim's account without ever requiring their credentials. In these attacks, MFA does not prevent compromise, because the victim is unknowingly completing the authentication process on behalf of the attacker. The insidious nature of the attack prompted the FBI to issue a public service announcement last month warning users about Kali365 and describing how the attack works. "Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities." Related:Beyond Assume-Breach: How AI-Native Security Will Reshape Enterprise Defense A Growing Threat Across Sectors and Regions Arctic Wolf's analysis of the operation showed Kali365 has become an even bigger threat in recent weeks. Researchers at the company were able to identify the platform's live command-and-control (C2) infrastructure and from there identify a cluster of 126 malicious hosts that were active between early and late May, all serving the same kit. The hosts, according to Arctic Wolf, impersonate a wide range of platforms, including Microsoft Outlook, Microsoft Live, Okta SSO, Xerox DocuShare, the German email provider GMX, Amazon Web Services naming conventions, and several major Russian online services, such as Mail.ru, Yandex Disk, and the social network Odnoklassniki. The sheer breadth of the impersonated platforms showed that Kali365 has evolved from being a specialized platform for stealing M365 tokens to a much broader credential theft platform that presents a threat to enterprise organizations across regions. Related:Anthropic to Open Mythos AI to EU's ENISA "Arctic Wolf strongly recommends implementing comprehensive security awareness training to equip users with the skills needed to quickly identify and report suspicious activity, including the tactics observed in this campaign," the security vendor said. The company's report also included specific measures that organizations can take to spot potentially malicious activity connected with Kali365. Kali365 is one among multiple device code phishing kits that have become available to threat actors in recent months. Other examples include Tycoon2FA, Venom, and CYB3R. In a recent report, Push Security reported observing a "huge spike" in device code phishing activity recently with at least 14 such kits currently available in the wild. Some of these are existing phishing-as-a-service platforms adding device code functionality and some are new. "Security teams need to consider the risk posed by device code phishing across multiple apps where device code authorization grants are common, particularly for developers and technical users," the security vendor warned. "In an ideal world, you would simply block device code logins. But this can’t be done without causing serious disruption in some environments, while some apps simply don’t provide the tools required to do so." About the Author Jai Vijayan Contributing Writer Illinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.  Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders.  Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications. His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee.   Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Microsoft Exchange 'Under Imminent Threat,' Act Now by Arielle Waldman NOV 12, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed TUESDAY, JUNE 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 03, 2026
    Archived
    Jun 03, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗