Evolution of Kali365: The Rise of Multi-Tenant PhaaS Targeting Enterprise SSO and Consumer Messaging

The threat landscape is witnessing a significant shift in the sophistication of Phishing-as-a-Service (PaaS) operations. The Kali365 platform has undergone a notable operational expansion, pivoting from its original specialization in Microsoft 365 token theft to a broader, more aggressive campaign targeting Okta Single Sign-On (SSO) environments and the rapidly scaling Russian messaging platform, MAX Messenger.

Recent threat intelligence paints a picture of a highly mature, multi-brand ecosystem. Unlike disorganized phishing attempts, Kali365 utilizes a centralized infrastructure characterized by real-time token monitoring, geographically optimized deployment, and a diverse array of impersonated services.

Advanced OAuth 2.0 Exploitation and Token Hijacking

At its technical core, Kali365 has perfected the abuse of the OAuth 2.0 device authorization flow. While traditional phishing focuses on harvesting static credentials (usernames and passwords), Kali365 leverages a more insidious method: capturing Entra ID (formerly Azure AD) access tokens.

In this workflow, attackers do not prompt for credentials directly. Instead, they manipulate victims into initiating a legitimate device login sequence. Once the user authenticates via the genuine provider, the resulting access tokens are redirected to the attacker’s registered application. This effectively bypasses Multi-Factor Authentication (MFA), granting the adversary persistent, high-privilege access to enterprise environments without ever needing the user’s actual password.

Analysis of the command-and-control (C2) architecture reveals a live management panel hosted on securehubcloud domains. This panel allows operators to monitor token capture status with millisecond precision. The phishing pages utilize continuous backend polling to confirm the exact moment an authentication event is completed and a token is successfully issued.

Infrastructure Analysis and Target Diversification

By pivoting through TLS certificate fingerprints and specific HTTP response signatures, researchers have identified a massive cluster of 126 malicious hosts. This infrastructure is highly versatile, impersonating a wide spectrum of high-value targets, including:

• Identity Providers: Okta SSO portals.
• Cloud & Productivity: Microsoft Outlook and AWS-style endpoints.
• Enterprise Software: Xerox DocuShare.
• Regional Services: Mail.ru, Yandex Disk, and Odnoklassniki.

This indicates a deliberate strategy of “mass-market” phishing, where the same underlying toolkit is adapted for different verticals, from corporate high-value targets to regional consumer users.

The MAX Messenger Pivot: Exploiting New Ecosystems

One of the most alarming developments is the campaign’s move toward consumer messaging. The attackers are specifically targeting MAX Messenger, a platform that has seen meteoric growth since its 2025 launch. Using a dedicated phishing kit, the operator employs a “prize verification” social engineering tactic.

As noted in recent research by Arctic Wolf, the attack workflow is highly streamlined:

1. The victim is prompted to enter their Russian phone number to “claim a prize.”
2. The victim receives a legitimate One-Time Password (OTP) from the MAX platform.
3. The phishing interface intercepts the OTP and, if applicable, the user’s secondary MFA password.

Upon successful interception, the attacker gains full account takeover (ATO), allowing them to access private messages, contacts, and sensitive personal data. This creates a self-sustaining infection loop: once an account is compromised, the attacker uses the victim’s own trusted identity to distribute phishing links to their contact list, magnifying the reach of the campaign.

Automated Exfiltration and Operational Efficiency

The technical elegance of Kali365 lies in its automation. Credential and token exfiltration is handled via an embedded Telegram bot, identified as NovosibyrskyMoneyBot. This integration allows for real-time data delivery directly to the attacker’s mobile device, minimizing the latency between the “hit” and the exploitation.

The presence of embedded tracking pixels further suggests that Kali365 operates on an affiliate-driven model, where operators measure the conversion rates and ROI of different phishing templates. The use of specific nomenclature—combining “Novosibirsk” (a Russian city) with “money” and “sova” (owl)—aligns with established scam archetypes currently prevalent on Telegram.

Conclusion for Defenders: The evolution of Kali365 underscores a critical trend in cybercrime: the transition from isolated phishing kits to scalable, multi-tenant PhaaS platforms. By combining OAuth abuse with real-time C2 infrastructure, Kali365 lowers the technical barrier for attackers while significantly increasing the difficulty for traditional perimeter defenses to detect and mitigate these sophisticated, identity-based attacks.