← Back to Pulse Feed
PULSE DETAIL
Kali365 (aka Kali365 Live) is a multi-tenant Microsoft 365 phishing-as-a-service platform first seen April 2026, promoted via Telegram, ~$250/30 days or $2,000/year via the non-KYC processor Trocador. It abuses the OAuth 2.0 device authorization grant ("device code flow") to capture access and refresh tokens, bypassing MFA without handling a password, and offers a separate AitM "Cookie Link" mode for session-cookie theft. Features: AI-generated lures, Cloudflare Worker-hosted pages impersonating Adobe Acrobat Sign, DocuSign, SharePoint, OneDrive and Teams, token sharing between affiliates, and an Electron desktop client. Post-compromise activity includes malicious inbox rules to suppress alerts and rogue Entra ID device registration. Arctic Wolf documented hundreds of attacks across North America and EMEA; the FBI issued advisory PSA260521 on 21 May 2026. Kali365 shares infrastructure and lineage with the EvilTokens/CLURE device-code kits.
MITRE ATT&CK & Malware Families
Indicators of Compromise (94)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| domain | authdocspro.com | — | 2026-05-28 | |
| FileHash-MD5 | 074ec771da5e042b7ab31e6da6546709 | MD5 of 09bb7e568e573497e22bfa3f36d71fe9d104899826608affedb25d988f391c85 | 2026-05-28 | |
| FileHash-MD5 | 6a86e4072663d185fa1d751710e9a70a | MD5 of 2fa6fc2199d3be55e240500d87e4484f39b9315bf336be25434f6716b8d28ec8 | 2026-05-28 | |
| FileHash-SHA1 | 68056a9a5c70eae8f2054fe00676788503cf59a0 | SHA1 of 09bb7e568e573497e22bfa3f36d71fe9d104899826608affedb25d988f391c85 | 2026-05-28 | |
| FileHash-SHA1 | e33c178c1526361029bbfd6b24664db4da9f7f26 | SHA1 of 2fa6fc2199d3be55e240500d87e4484f39b9315bf336be25434f6716b8d28ec8 | 2026-05-28 | |
| FileHash-SHA256 | 09bb7e568e573497e22bfa3f36d71fe9d104899826608affedb25d988f391c85 | — | 2026-05-28 | |
| FileHash-SHA256 | 2fa6fc2199d3be55e240500d87e4484f39b9315bf336be25434f6716b8d28ec8 | — | 2026-05-28 | |
| FileHash-SHA256 | 883d5d4a73b0ac8cf4f78fe46d8f4e76e21508872836f2b439af2de4a205128e | — | 2026-05-28 | |
| IPv4 | 162.243.166.119 | CC=US ASN=AS14061 digitalocean llc | 2026-05-28 | |
| IPv4 | 199.91.220.111 | CC=US ASN=ASNone | 2026-05-28 | |
| IPv4 | 216.203.20.95 | CC=US ASN=AS7381 sungard availability services lp | 2026-05-28 | |
| domain | authdocspro.com | — | 2026-05-28 | |
| domain | backdoor-hub.com | — | 2026-05-28 | |
| domain | bumpgames.net | — | 2026-05-28 | |
| domain | carbatterygurgaon.com | — | 2026-05-28 | |
| domain | careldutoit-el.co.za | — | 2026-05-28 | |
| domain | eqfit.co.za | — | 2026-05-28 | |
| domain | eventcalender-schedule.com | — | 2026-05-28 | |
| domain | evobothub.org | — | 2026-05-28 | |
| domain | framebound.cloud | — | 2026-05-28 | |
| domain | infinitechai.org | — | 2026-05-28 | |
| domain | kali365.xyz | — | 2026-05-28 | |
| domain | macmamo.com | — | 2026-05-28 | |
| domain | mirsanotolastik.com | — | 2026-05-28 | |
| domain | mirzanyapi.com | — | 2026-05-28 | |
| domain | newmobilepolojean.com | — | 2026-05-28 | |
| domain | notificationsmanagersec.com | — | 2026-05-28 | |
| domain | pelangiservice.com | — | 2026-05-28 | |
| domain | prcservis.com | — | 2026-05-28 | |
| domain | serenitygovsupplys.com | — | 2026-05-28 | |
| domain | smstltle.net | — | 2026-05-28 | |
| domain | suctwocesonesstory.com | — | 2026-05-28 | |
| domain | thesafarigarden.com | — | 2026-05-28 | |
| domain | topbuysella.com | — | 2026-05-28 | |
| domain | totalhomesafe.com | — | 2026-05-28 | |
| domain | xlkconsulting.co.za | — | 2026-05-28 | |
| domain | yankeepine.co | — | 2026-05-28 | |
| domain | youremplregroup.com | — | 2026-05-28 | |
| hostname | api.kali365.xyz | — | 2026-05-28 | |
| hostname | docusend.networkssolutionmail.com | — | 2026-05-28 | |
| hostname | internalmemorecord.bxwancheng.com | — | 2026-05-28 | |
| hostname | promanager.outboundciwidey.com | — | 2026-05-28 | |
| hostname | signaturerequired.thecoolcactus.com | — | 2026-05-28 | |
| hostname | statushelper.aguasomos.com | — | 2026-05-28 | |
| hostname | update.youcreadio.cfd | — | 2026-05-28 | |
| hostname | v2.kali365.xyz | — | 2026-05-28 | |
| hostname | well.atlantaperlnatal.com | — | 2026-05-28 | |
| FileHash-MD5 | 074ec771da5e042b7ab31e6da6546709 | MD5 of 09bb7e568e573497e22bfa3f36d71fe9d104899826608affedb25d988f391c85 | 2026-05-28 | |
| FileHash-MD5 | 6a86e4072663d185fa1d751710e9a70a | MD5 of 2fa6fc2199d3be55e240500d87e4484f39b9315bf336be25434f6716b8d28ec8 | 2026-05-28 | |
| FileHash-SHA1 | 68056a9a5c70eae8f2054fe00676788503cf59a0 | SHA1 of 09bb7e568e573497e22bfa3f36d71fe9d104899826608affedb25d988f391c85 | 2026-05-28 | |
| FileHash-SHA1 | e33c178c1526361029bbfd6b24664db4da9f7f26 | SHA1 of 2fa6fc2199d3be55e240500d87e4484f39b9315bf336be25434f6716b8d28ec8 | 2026-05-28 | |
| FileHash-SHA256 | 09bb7e568e573497e22bfa3f36d71fe9d104899826608affedb25d988f391c85 | — | 2026-05-28 | |
| FileHash-SHA256 | 2fa6fc2199d3be55e240500d87e4484f39b9315bf336be25434f6716b8d28ec8 | — | 2026-05-28 | |
| FileHash-SHA256 | 883d5d4a73b0ac8cf4f78fe46d8f4e76e21508872836f2b439af2de4a205128e | — | 2026-05-28 | |
| IPv4 | 162.243.166.119 | CC=US ASN=AS14061 digitalocean llc | 2026-05-28 | |
| IPv4 | 199.91.220.111 | CC=US ASN=ASNone | 2026-05-28 | |
| IPv4 | 216.203.20.95 | CC=US ASN=AS7381 sungard availability services lp | 2026-05-28 | |
| domain | authdocspro.com | — | 2026-05-28 | |
| domain | backdoor-hub.com | — | 2026-05-28 | |
| domain | bumpgames.net | — | 2026-05-28 | |
| domain | carbatterygurgaon.com | — | 2026-05-28 | |
| domain | careldutoit-el.co.za | — | 2026-05-28 | |
| domain | eqfit.co.za | — | 2026-05-28 | |
| domain | eventcalender-schedule.com | — | 2026-05-28 | |
| domain | evobothub.org | — | 2026-05-28 | |
| domain | framebound.cloud | — | 2026-05-28 | |
| domain | infinitechai.org | — | 2026-05-28 | |
| domain | kali365.xyz | — | 2026-05-28 | |
| domain | machinemind-market.com | — | 2026-05-28 | |
| domain | macmamo.com | — | 2026-05-28 | |
| domain | mirsanotolastik.com | — | 2026-05-28 | |
| domain | mirzanyapi.com | — | 2026-05-28 | |
| domain | newmobilepolojean.com | — | 2026-05-28 | |
| domain | notificationsmanagersec.com | — | 2026-05-28 | |
| domain | pelangiservice.com | — | 2026-05-28 | |
| domain | prcservis.com | — | 2026-05-28 | |
| domain | serenitygovsupplys.com | — | 2026-05-28 | |
| domain | smstltle.net | — | 2026-05-28 | |
| domain | suctwocesonesstory.com | — | 2026-05-28 | |
| domain | thesafarigarden.com | — | 2026-05-28 | |
| domain | topbuysella.com | — | 2026-05-28 | |
| domain | totalhomesafe.com | — | 2026-05-28 | |
| domain | xlkconsulting.co.za | — | 2026-05-28 | |
| domain | yankeepine.co | — | 2026-05-28 | |
| domain | youremplregroup.com | — | 2026-05-28 | |
| hostname | api.kali365.xyz | — | 2026-05-28 | |
| hostname | docusend.networkssolutionmail.com | — | 2026-05-28 | |
| hostname | internalmemorecord.bxwancheng.com | — | 2026-05-28 | |
| hostname | promanager.outboundciwidey.com | — | 2026-05-28 | |
| hostname | signaturerequired.thecoolcactus.com | — | 2026-05-28 | |
| hostname | statushelper.aguasomos.com | — | 2026-05-28 | |
| hostname | update.youcreadio.cfd | — | 2026-05-28 | |
| hostname | v2.kali365.xyz | — | 2026-05-28 | |
| hostname | well.atlantaperlnatal.com | — | 2026-05-28 |
References (3)
↗ https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/
↗ https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-kali365-phishing-kit-breaks-microsoft-365-accounts-no-password-required
↗ https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/