{ "name": "From Token Bingo to MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, and Other Services", "slug": "from-token-bingo-to-max-takeover-kali365-operator-expands-operation-across-microsoft-outlook-okta-xerox-docushare-and-other-services", "description": "A significant expansion of the Kali365 phishing-as-a-service operation has been observed, now targeting multiple platforms beyond Microsoft 365. The operator abuses OAuth 2.0 device authorization flows to bypass MFA and steal authentication tokens. Key discoveries include a live command-and-control panel infrastructure, a phishing campaign impersonating MAX Messenger (Russia's state-backed messaging platform with 110 million users) through fake prize-claim flows, and a cluster of 126 malicious hosts impersonating services including Microsoft Outlook, Okta SSO, Xerox DocuShare, Mail.ru, Yandex Disk, and Odnoklassniki. The operation demonstrates a deliberate focus on Russian consumer platforms alongside Western enterprise targets, utilizing Telegram bots for credential exfiltration and employing a multi-tenant phishing platform distributed through Telegram channels.", "published": "2026-06-02T19:07:01.258000+00:00", "created_at": "2026-06-03T09:34:17.912000+00:00", "modified_at": "2026-06-03T07:34:17+00:00", "created_at_opencti": "2026-06-03T09:34:17.912000+00:00", "author": "AlienVault", "confidence": 100, "report_types": [ "threat-report" ], "labels": [ "device code phishing", "ekz infostealer", "kali365", "max messenger", "mfa bypass", "oauth 2.0 abuse", "phishing-as-a-service", "russian platforms", "token theft" ], "tags": [ "2026-06-02", "device code phishing", "ekz infostealer", "kali365", "max messenger", "mfa bypass", "oauth 2.0 abuse", "phishing-as-a-service", "russian platforms", "token theft" ], "related_entities": { "indicators": [ { "id": "3c28fbc4-9bff-4964-bd7b-8b96a038d6bc", "name": "boss.securehubcloud.com" }, { "id": "efdb9a62-f734-4e26-9a36-37d8fc0ce7f4", "name": "api.securehubcloud.com" }, { "id": "444b92de-47da-4ede-acdb-d8d622cd5672", "name": "panel.securehubcloud.com" }, { "id": "e89dd63c-fd27-473c-9634-0635045da381", "name": "attachedfile.com" }, { "id": "a08e9eb4-4ca0-4c07-871a-eb7159fc9f49", "name": "http://panel.securehubcloud.com/login" }, { "id": "78e2d4ee-6473-424f-b0f6-d3a3fd2a0b07", "name": "securehubcloud.com" }, { "id": "206916a7-b3c5-4f4d-8f4e-1b5a7696d0cc", "name": "greatness-marketing.top" } ], "attack_patterns": [ { "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc", "name": "T1204.001" }, { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" }, { "id": "7e3e3784-9547-42ca-b888-482972d14be3", "name": "T1528" }, { "id": "c9de6d3f-08cf-448d-8b9f-9aeff59fc48f", "name": "T1550" }, { "id": "503ba2cd-0ae8-422c-8f1a-2cecb472db53", "name": "T1550.001" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3", "name": "T1090" }, { "id": "dc410646-9cdd-427b-92e7-179a54f78f90", "name": "T1566.001" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "397ed6b1-0142-4167-b0e0-bd69a9adf819", "name": "T1566.003" }, { "id": "41ad5d62-aa6a-47d6-a9a9-fb2209601099", "name": "T1098" }, { "id": "b7c6c1ad-f183-4128-8427-3891029c73dc", "name": "T1539" }, { "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420", "name": "T1102.002" }, { "id": "ee82762a-2958-4901-aade-341277d9b410", "name": "T1078.004" }, { "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2", "name": "T1566.002" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" } ], "malware": [ { "id": "a2c3f77e-cd68-4806-a321-97f02c385c8b", "name": "EKZ Infostealer", "slug": "ekz-infostealer" } ], "observables": [ { "id": "fb74edaa-8be8-462e-aaf0-952557a0254e", "name": "greatness-marketing.top" }, { "id": "e96af820-3bea-42f8-8828-ea84f740e392", "name": "securehubcloud.com" }, { "id": "48174391-5431-4b0d-9dd5-2a6ebb7bf92e", "name": "attachedfile.com" }, { "id": "98ce24bc-47db-41ed-8dc9-2212b5fff865", "name": "api.securehubcloud.com" }, { "id": "12b2c0de-6d00-492d-b169-b08b8f9bc0e2", "name": "panel.securehubcloud.com" }, { "id": "af0a6051-ebe8-44f6-babf-a5491baffa03", "name": "boss.securehubcloud.com" }, { "id": "7de1eb3e-e629-4bb9-8a8c-d642cab8f1c5", "name": "http://panel.securehubcloud.com/login" } ], "others": [ { "id": "", "name": "boss.securehubcloud.com" }, { "id": "", "name": "api.securehubcloud.com" }, { "id": "", "name": "panel.securehubcloud.com" }, { "id": "", "name": "attachedfile.com" }, { "id": "", "name": "securehubcloud.com" }, { "id": "", "name": "greatness-marketing.top" } ] }, "external_refs": [ { "id": "409d9428-16c9-47ad-8589-1a84ac830646", "standard_id": "external-reference--110a3334-8dbc-5ec2-a19d-8f4391d0bbbf", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://arcticwolf.com/resources/blog/kali365-expands-into-aws-microsoft-okta-xerox-max-messenger/", "hash": null, "external_id": null, "created": "2026-06-03T09:34:17.848Z", "modified": "2026-06-03T09:34:17.848Z", "createdById": null }, { "id": "1fbbc453-f27e-402f-992f-6deccab71825", "standard_id": "external-reference--f355698c-897c-5c14-b126-87ce119c3b41", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://otx.alienvault.com/pulse/6a1f29d52e7ef5590675949f", "hash": null, "external_id": "6a1f29d52e7ef5590675949f", "created": "2026-06-03T09:34:17.749Z", "modified": "2026-06-03T09:34:17.749Z", "createdById": null } ] }