Once targeting just Microsoft 365, the phishing-as-a-service platform now aims at AWS, Okta, and Russian platforms, while relying on device code phishing.
June 2, 2026
The operators of Kali365, a phishing-as-a-service platform that drew considerable attention for helping attackers bypass multifactor authentication (MFA) on Microsoft 365 accounts, have significantly broadened both their capabilities and their target list.
In a report released this week, Arctic Wolf described Kali365 as evolving from a purely Microsoft-focused phishing kit to a broader account-compromise platform that targets digital identities across AWS, Okta, Xerox DocuShare, and several Russian online services. The most notable among them is MAX Messenger, a Russian state-backed messaging platform with more than 80 million users that the Russian government has promoted as the country's national message service.
Kali365's expansion into MAX Messenger and other Russian online services suggests "a deliberate, consistent focus on Russian consumer-Internet platforms, alongside the operator's existing Western enterprise targets," Arctic Wolf said. "A phishing operator who can convert MAX account takeovers into propagation has access to one of the largest installed messaging bases in the Russian-speaking world."
