From Token Bingo to MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, and Other Services
The operators behind the Kali365 Phishing-as-a-Service (PhaaS) kit have expanded their infrastructure to target a wider array of services, including Microsoft 365, Okta, and Russia's MAX Messenger. The threat actors utilize OAuth 2.0 device authorization grant abuse and fake prize-claim lures to bypass MFA and exfiltrate credentials via Telegram.
- domainapi[.]securehubcloud[.]comKali365 C2 infrastructure serving the TLS certificate.
- domainattachedfile[.]comShared cPanel host serving the Kali365 phishing kit across multiple subdomains.
- domainboss[.]securehubcloud[.]comKali365 C2 infrastructure.
- domaindata-form-o5pu[.]p-ntz8agp6[.]workers[.]devSibling-fetch domain used in the phishing HTML template.
- domaingreatness-marketing[.]topMAX Messenger account-takeover phishing domain.
- domainopen-box-rpps[.]jeff-1fd[.]workers[.]devDevice-code phishing page hosting domain.
- domainpanel[.]securehubcloud[.]comKali365 C2 sign-in panel and polling endpoint for token capture status.
- domaintk[.]mowell[.]techTracking pixel domain used for affiliate telemetry.
- ip104[.]21[.]32[.]229Cloudflare-fronted IP for securehubcloud.com C2 domains.
- ip172[.]67[.]156[.]83Cloudflare-fronted IP for securehubcloud.com C2 domains.
- ip188[.]114[.]96[.]3IP hosting greatness-marketing.top.
- ip64[.]7[.]198[.]96IP associated with K365 Control infrastructure.
- ip66[.]179[.]30[.]87IP associated with K365 Control infrastructure.
- sha16894a51278ec89118276c2dd2dc36e6f9ea2790aTLS certificate fingerprint for the Kali365 C2 infrastructure.
- urlhxxps://panel[.]securehubcloud[.]com/api/status/2091010Polling URL for token capture status.
- urlhxxps://panel[.]securehubcloud[.]com/loginC2 sign-in panel URL.
Detection / HunterGoogle
What Happened
Cybercriminals using a phishing tool called Kali365 have expanded their attacks to steal accounts from Microsoft, Okta, and the Russian messaging app MAX Messenger. The attackers trick victims into entering login codes on fake websites, often disguised as prize claims or secure document shares. This allows the attackers to bypass security measures like two-factor authentication and gain full access to the victims' accounts and messages. Organizations should train employees to recognize these fake login pages and consider disabling device-code authentication if it is not needed.
Key Takeaways
- The Kali365 PhaaS operator has expanded infrastructure to include a live C2 panel at panel.securehubcloud.com.
- The threat actor is running a fake prize-claim phishing campaign to take over accounts on Russia's state-backed MAX Messenger.
- A cluster of 126 malicious hosts was identified serving the same kit infrastructure, impersonating brands like Microsoft, Okta, and Xerox.
- Stolen credentials and 2FA tokens are exfiltrated in real-time via a Telegram bot (@NovosibyrskyMoneyBot).
Affected Systems
- Microsoft 365
- Okta
- Xerox DocuShare
- MAX Messenger
- Mail.ru
- Yandex Disk
- Odnoklassniki
- GMX
- LiveDrive
Attack Chain
The attacker initiates a device-code request or directs the victim to a fake prize-claim page. The victim is socially engineered into entering a verification code at the legitimate Microsoft device login site or providing their phone number and OTP on a fake MAX Messenger page. The phishing page continuously polls the attacker's C2 server to check the authentication status. Once the victim authenticates, the attacker receives OAuth tokens or session credentials, bypassing MFA and gaining persistent access to the account. Stolen credentials are exfiltrated in real-time via a Telegram bot.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: VirusTotal, VALIDIN
The article provides a VirusTotal content-based hunting query and a VALIDIN banner hash to identify the phishing kit infrastructure.
Detection Engineering Assessment
EDR Visibility: Low — The attack primarily occurs in the cloud via OAuth device code authorization and web-based phishing pages, leaving minimal footprint on the local endpoint. Network Visibility: High — Network telemetry can detect the continuous polling to the C2 panel and connections to known malicious Cloudflare Worker subdomains. Detection Difficulty: Moderate — While the C2 domains and specific HTML strings provide good network indicators, the rapid rotation of Cloudflare Worker subdomains and the use of legitimate Microsoft endpoints for the actual authentication make it challenging to rely solely on domain blocking.
Required Log Sources
- DNS Logs
- Web Proxy Logs
- Cloud Provider Logs (Entra ID / Azure AD sign-in logs)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Users are authenticating via the OAuth 2.0 Device Authorization Grant flow from unexpected locations or devices. | Entra ID / Azure AD Sign-in Logs | Credential Access | Medium (Legitimate use of device code flow by smart TVs, printers, or CLI tools) |
| Endpoints are making repeated outbound HTTP requests to panel.securehubcloud.com or similar C2 infrastructure. | Web Proxy Logs / DNS Logs | Command and Control | Low (Known malicious C2 domain) |
Control Gaps
- Standard MFA (bypassed via device code flow and real-time proxying)
- Endpoint AV (no malware dropped)
Key Behavioral Indicators
- Outbound connections to panel.securehubcloud.com
- HTML content containing 'Preparing your secure document...'
- HTTP responses with banner hash febb622cd9eeb5c8860dcef4cbfd4b74
False Positive Assessment
- Low (The provided IOCs are highly specific to the Kali365 infrastructure, though hunting for generic device code logins will yield legitimate traffic.)
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider blocking outbound network connections to panel.securehubcloud.com, api.securehubcloud.com, and boss.securehubcloud.com.
- Evaluate blocking all subdomains of attachedfile.com at the DNS or web proxy level.
- Consider searching network logs for connections to greatness-marketing.top and tk.mowell.tech.
Infrastructure Hardening
- Consider disabling the OAuth 2.0 Device Authorization Grant flow in Entra ID if it is not required for business operations.
- If device code authentication is necessary, evaluate restricting it via Conditional Access policies to trusted locations or compliant devices.
- Consider monitoring or blocking Telegram API connections from the corporate network if not used for business purposes.
User Protection
- Evaluate implementing phishing-resistant MFA (such as FIDO2 security keys) where supported by your identity provider.
Security Awareness
- Consider educating users on the risks of device code phishing and instruct them never to enter verification codes on microsoft.com/devicelogin unless they initiated the request themselves.
- Evaluate training employees to recognize fake 'prize-claim' lures and unexpected requests for one-time passwords (OTPs).
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1528 - Steal Application Access Token
- T1111 - Two-Factor Authentication Interception
- T1056.002 - Input Capture: GUI Input Capture
- T1567.002 - Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Additional IOCs
- Ips:
172[.]67[.]156[.]83- Cloudflare-fronted IP for securehubcloud.com C2 domains.104[.]21[.]32[.]229- Cloudflare-fronted IP for securehubcloud.com C2 domains.188[.]114[.]96[.]3- IP hosting greatness-marketing.top.66[.]179[.]30[.]87- IP associated with K365 Control infrastructure.64[.]7[.]198[.]96- IP associated with K365 Control infrastructure.
- Domains:
data-form-o5pu[.]p-ntz8agp6[.]workers[.]dev- Sibling-fetch domain used in the phishing HTML template.
- Urls:
hxxps://panel[.]securehubcloud[.]com/login- C2 sign-in panel URL.hxxps://panel[.]securehubcloud[.]com/api/status/2091010- Polling URL for token capture status.
- Other:
febb622cd9eeb5c8860dcef4cbfd4b74- HTTP response banner hash served by the operator's phishing pages.-5035652280- Telegram Chat ID used for credential exfiltration.8535071077:AAFus1ccm-puZ2htZkpKP_UyZfp3FTHFCzg- Telegram Bot Token used for credential exfiltration.
