Kali365 PhaaS Operation Expands Beyond Microsoft 365 to Target Okta and MAX Messenger

Kali365 is a fast-growing phishing-as-a-service platform first observed in April 2026 that abuses Microsoft’s OAuth device code flow to obtain valid login tokens without passwords or MFA codes; operators have expanded to impersonate Okta, Russian services (including MAX Messenger), and many other brands across a 126-host phishing cluster. Arctic Wolf and the FBI have observed active use, documented C2 infrastructure, Telegram-based credential exfiltration, and published IoCs and mitigations (block C2 domains, disable device-code auth, monitor post-auth behavior).