From Token Bingo to MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, and Other Services
Essential information
- Published
- 02/06/2026 21:07
- Modified
- 03/06/2026 09:34
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- device code phishing ekz infostealer kali365 max messenger mfa bypass oauth 2.0 abuse phishing-as-a-service russian platforms token theft
- Tags
- 2026-06-02 device code phishing ekz infostealer kali365 max messenger mfa bypass oauth 2.0 abuse phishing-as-a-service russian platforms token theft
- Related entities
- 7 indicators, 7 observables, 20 techniques (mitre), 1 malware, 6 others
Description
A significant expansion of the Kali365 phishing-as-a-service operation has been observed, now targeting multiple platforms beyond Microsoft 365. The operator abuses OAuth 2.0 device authorization flows to bypass MFA and steal authentication tokens. Key discoveries include a live command-and-control panel infrastructure, a phishing campaign impersonating MAX Messenger (Russia's state-backed messaging platform with 110 million users) through fake prize-claim flows, and a cluster of 126 malicious hosts impersonating services including Microsoft Outlook, Okta SSO, Xerox DocuShare, Mail.ru, Yandex Disk, and Odnoklassniki. The operation demonstrates a deliberate focus on Russian consumer platforms alongside Western enterprise targets, utilizing Telegram bots for credential exfiltration and employing a multi-tenant phishing platform distributed through Telegram channels.