logo

​​Kratos PhaaS Targets US and EU: How to Reduce Microsoft 365 Account Takeover Risk​

ID: 9e641b04-1c9c-54c8-a00f-8386039d63b2

STIX ID: report--9e641b04-1c9c-54c8-a00f-8386039d63b2

Feed Name: ANY.RUN's Cybersecurity Blog

Threat Score
72/100

Date Published: 2026-07-14

Date Updated: 2026-07-15

Author: ShiFu

...
...

ANY.RUN analyzed the Kratos Phishing-as-a-Service (PhaaS) operation that impersonates Microsoft 365 to steal credentials; researchers identified three generations (V0/V1/V2), 1,628 sandbox sessions (1,484 newly attributed), 148 suspected victim organizations across >20 countries (notably US and Spain), and operator-side infrastructure including an admin panel, anti-bot options, and Telegram/email exfiltration. The report provides high-confidence asset fingerprints (e.g., barr.svg + lg.svg, file content hashes), exfiltration endpoints (next.php, save.php, /PTT/SOft/mini.php), infrastructure patterns (disposable TLDs, compromised sites, Cloudflare fronting), SIEM scoring rules, and recommended detection and response actions to reduce Microsoft 365 account takeover risk.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.