Phishing kits are getting smarter, faster, and far more scalable than many organizations realize.
One operation that barely existed a few months ago is now impersonating Microsoft, Okta, AWS, Xerox DocuShare, and even Russia's MAX Messenger across a sprawling phishing infrastructure. 🔽
New research from Arctic Wolf Labs shows the Kali365 (K365) Phishing-as-a-Service platform significantly expanding its reach since it first appeared in April 2026.
Investigators uncovered a cluster of 126 malicious hosts serving phishing pages designed to capture credentials and authentication tokens. The operation reportedly abuses Microsoft's OAuth device authorization flow to bypass MFA protections and now targets multiple enterprise and consumer platforms.
One particularly concerning discovery involved a fake MAX Messenger prize-claim campaign. Victims are prompted to enter their phone number, SMS OTP, and even their 2FA password, allowing attackers to defeat multiple authentication layers in a single interaction.
Researchers also identified a live command-and-control infrastructure monitoring token capture activity in near real time.
For defenders, this is another reminder that MFA alone is not a silver bullet when attackers can manipulate legitimate authentication workflows.
How is your organization approaching device-code phishing risks and OAuth abuse detection today?
#CyberSecurity #Phishing #ThreatIntelligence #IdentitySecurity #InfoSec
One operation that barely existed a few months ago is now impersonating Microsoft, Okta, AWS, Xerox DocuShare, and even Russia's MAX Messenger across a sprawling phishing infrastructure. 🔽
New research from Arctic Wolf Labs shows the Kali365 (K365) Phishing-as-a-Service platform significantly expanding its reach since it first appeared in April 2026.
Investigators uncovered a cluster of 126 malicious hosts serving phishing pages designed to capture credentials and authentication tokens. The operation reportedly abuses Microsoft's OAuth device authorization flow to bypass MFA protections and now targets multiple enterprise and consumer platforms.
One particularly concerning discovery involved a fake MAX Messenger prize-claim campaign. Victims are prompted to enter their phone number, SMS OTP, and even their 2FA password, allowing attackers to defeat multiple authentication layers in a single interaction.
Researchers also identified a live command-and-control infrastructure monitoring token capture activity in near real time.
For defenders, this is another reminder that MFA alone is not a silver bullet when attackers can manipulate legitimate authentication workflows.
How is your organization approaching device-code phishing risks and OAuth abuse detection today?
#CyberSecurity #Phishing #ThreatIntelligence #IdentitySecurity #InfoSec
Shared byDakota Silva - 12 hours ago
Log in to comment
Loading ..
Related Articles
Albina Iljasov Appointed Co-CEO of XCharge, Expanding Cybersecurity Role
Arthur Boilanger Promoted to Information Security Engineer at Deepwatch
Joe Giannetti Appointed as Lexitas' Chief Information Officer & Chief Information Security Officer
Darryl van Rensburg Joins Spectrum Consulting as Business Development Director
AI-Driven Security Challenges: Context Collapse and Blind Spots in Bugcrowd's Insights
Massive Botnet Bust: 17 Million Devices Compromised and Seized
0/100