TL;DR
- Kali365 is a Telegram-distributed Phishing-as-a-Service (PhaaS) platform targeting Microsoft 365. It pairs device-code phishing with adversary-in-the-middle (AiTM) cookie/session theft to steal OAuth refresh tokens and session cookies, bypassing MFA without needing the victim's password.
- Branded activity is visible from February 15, 2026, roughly six weeks before the FBI's stated "first observed April 2026."
- It is a polished, fast-iterating product multiple attack flows, 12 landing-page templates, a desktop "token browser" (UA kali365-live/1.0.0) for one-click inbox takeover, alert-suppression ("ghost mode"), a contact harvester, AI-generated lures, and a built-in BEC keyword-monitoring engine.
- On May 21, 2026, seconds after reposting a Public Service Announcement from the FBI in their own channel, they announced they would "officially close the website and discontinue operations effective immediately."
- The "shutdown" was theater. Capture activity continued daily afterward; only the Kali365 brand went quiet, consistent with a pre-planned rebrand under the operators’ “Octopus” branding (Green Octopus / Black Octopus), not a cessation.
- Kali365 operators earned an estimated $200,000–$350,000 in subscription revenue from approximately 500 affiliates paying $250/month, with blockchain analysis confirming funds routed through centralized exchanges and flagged money-laundering services.
- Victims predominantly include small and mid-sized businesses in construction, manufacturing, healthcare, and professional services, with 55-60% located in the United States and significant clusters in Australia, India, and Canada.
What is Kali365 (in the operators' own words)
The operators of Kali365 maintain an active marketing Telegram channel which has actively posted about the kit and advertised its features, including in this post first seen on 12 March 2026:
Notably, Kali365 advertised two phishing methods that are purpose-built to defeat MFA: Adversary-in-The-Middle (AiTM) and Device Code phishing:
- Device-code phishing occurs when the victim is steered to Microsoft's real device-login page and enters an attacker-generated code; the victim completes genuine MFA and the attacker receives long-lived OAuth refresh tokens. There is no fake page to detect and no password to reset.
- AiTM cookie/session theft involves a reverse-proxy backend - a custom Evilginx2 ("ginX") instance - sits between the victim and Microsoft's real login and harvests the authenticated session cookies; the device-code flow separately yields long-lived OAuth refresh tokens. Those stolen artifacts are then loaded into a separate desktop tool, the kali365-live Electron app ("Real Outlook Access," later renamed "Green Octopus"), which the buyer uses to open the victim's real Outlook, OneDrive, SharePoint, and admin portal via silent SSO (relying on the captured ESTSAUTH cookies).
The earliest branded capture (February 15, 2026) shows the cookie-theft side plainly (victim redacted):
Lifecycle and significant changes
SpyCloud’s continuous recapture of dark web and criminal ecosystem data reveals a highly active affiliate base, with thousands of successfully phished victims identified during the kit’s three-plus months of operation, intelligence that would otherwise remain invisible to defenders.
In the graph below you can see an immediate adoption of AiTM capabilities after the February release, followed by a shift in favor of device code phishing beginning in March and reaching its zenith at the end of the month.
Targeting and demographics. Captured victims skew toward small/mid businesses (construction, scaffolding, fuel, manufacturing, professional services), replicating the classic invoice/BEC target profile. Some very large businesses were also found within the victim data; however, exposure to large companies is mostly due to communication with compromised mailboxes, especially those of suppliers or partners.
Geography (victim login country, from the kit’s geo-IP):
- United States ≈ 55–60% (dominant)
- Australia ~9%, India ~8%, Canada, Poland, UK, France, South Africa
- Brazil / Italy / Germany / Philippines. → US-dominant but genuinely global, with strong secondary clusters in Australia, India, Canada, and parts of Europe
Verticals (domain-name heuristic + top victims); clearest concentrations in:
- Construction / trades / engineering (roofing, glass, mechanical, cabinetry, homebuilders)
- Healthcare (pain & occupational-med clinics, pharma, dispensaries, home care)
- Manufacturing / industrial supply
- Professional services (legal, accounting, consulting, advisory)
- Finance / insurance / real estate (capital firms, brokers, mortgage, property management)
- Energy / oil & gas / utilities (fuel distributors, lubricants, power)
- Nonprofits / faith-based / local government - strikingly, the top two victim orgs in the sample were U.S. disability/social-services nonprofits (13 and 11 captured sessions each)
- Education (universities + K-12 districts)
Notable findings:
01
It's a BEC-targeting profile
The vertical mix (construction, manufacturing, professional services, energy) is exactly the invoice/payment-heavy economy, and it lines up with the kit’s built-in keyword-monitoring (invoice, payment, proposal, wire).
02
Soft-target sectors are over-represented
03
Repeat/lateral targeting within orgs
04
Blast radius exceeds the direct victim count
Compromised mailboxes are reused to attack the victim’s own contacts/customers (reply-chain hijacking, the bank-detail-change BEC emails we observed) so that each org victim is also a launch point against its partners (secondary victims).
05
Monitored mailboxes extend the blast radius further
Compromised mailboxes enable persistent monitoring of email communications from suppliers, partners, and customers. Even organizations that weren’t compromised can still be exposed by way of communicating with a compromised mailbox.
06
Token theft = MFA didn't save them
Because Kali365 captures session cookies and OAuth refresh tokens, not passwords, standard MFA provided no protection for these victims. These are session/refresh-token captures; the victims had logins that “worked,” so notification + token/session revocation (not just password resets) is the required remediation.
Timelining major milestones
Timelining the major milestones in Kali365’s short existence (so far) shows an aggressive iteration process that has been remarkably reactive to defensive shifts by Microsoft and others.
The major changes:
- Microsoft's device-code clampdown (late March) and Kali365's bypass. The operators publicly acknowledged Microsoft withholding refresh_token for the Office client (a response to Storm-2372 device-code abuse) and claimed to have engineered around it.
- Token-persistence engineering. May development chatter shows them tuning OAuth scope/refresh handling so stolen access "lasts months."
- Capability sprawl beyond credential theft. Alert suppression, full in-browser inbox control, contact harvesting, and a BEC keyword-monitoring engine turn a phish into a persistent BEC/financial-fraud platform.
- Infrastructure and brand churn (octopi365/kali365.xyz → blackoctopusking; "Green Octopus 3.1.0," "black-octopus-sender") built for resilience and law-enforcement evasion.
The migration, the FBI bulletin, and the "shutdown"
For a kit that wouldn’t even be eating solid foods if it were a human baby, it’s had quite a few big events since its February birthdate.
The migration (May 7-8)
At ~18:00 UTC on May 7, 2026, Kali365 notified all customers that the PhaaS kit was moving operations to blackoctopusking.live, providing the excuse of seeking “more anonymous infrastructure” as the reason for the shift, and apparent rebrand (foreshadowing). This action effectively retired their previously-used domains octopi365.com / kali365.xyz and related infrastructure.
The FBI bulletin and the "shutdown" (May 21)
The FBI issued a public service announcement via the Internet Crime Complaint Center (“IC3”) on May 21, which named Kali365 as a PhaaS targeting Microsoft 365 Access Tokens. The operators reposted the PSA into their own channel and, 13 seconds later, seemingly announced their retirement:
So, you may be asking: why are we taking the time to share this research, if the devs are retired and the kit is effectively dead?
The rebrand
SpyCloud’s analysis of messages between customers revealed that the “Octopus” brand was actually in use for some time prior to the attempted rebrand. On May 12, one customer publicly referred to the Electron-based Outlook app as “greenoctopus,” and on May 14, the source code for the panel was quietly updated from Kali365 Live to Green Octopus 3.1.0.
Notably, beyond a few cosmetic changes, the infrastructure largely remained the same. Existing customers were advised to log in with their existing usernames and passwords, and were informed that their tokens and captures had been seamlessly migrated. The operators even claimed that linked Cloudflare workers (lures) would still work post-migration.
While AiTM phishes dropped by about 34% post rebrand, device code phishes climbed again, peaking around mid-May at roughly half their late-March high. Taken together, the left and right sides of the graph above are effectively indistinguishable (given the inherently spiky nature of successful phishes), and Pam from The Office would be excused for thinking they were the same picture (may be a deep-cut for some).
Given all this, we assess this “rebrand” was less a stealthy move to escape scrutiny than the cyber equivalent of a fugitive dyeing their hair and changing clothes while leaving a face tattoo in plain sight: the panel got a new domain and an octopus paint job, but the kali365-live user-agent, the “Kali365 Team” sign-off, and the same operators, accounts, lures, and wallets never changed, and the octopus theme (octopi365) predated the “new” brand anyway.
The affiliate base
Based on SpyCloud’s observability into the operators and operations of the Kali365 kit, we can paint a rough picture of the likely user base and targeting methodologies of the kit.
During the first full month of operation, the customer base soared from zero to approximately 300 by the end of March, with that number increased to at least 500 distinct affiliate operators with active Kali365 subscriptions by the beginning of May.
Considering Kali365’s observed subscription price ($250/30 days) and an operating window of roughly February-June 2026, we estimate the operator(s) earned on the order of $200K–$350K USD in subscription revenue since launch. Blockchain tracing of the payment wallets they advertised to customers corroborates that range and, if anything, pushes it toward the top end.
The advertised BTC and USDT addresses resolve to a single, interconnected cluster (the wallets transact with one another and consolidate into shared cash-out points), and they were funded by hundreds of distinct paying counterparties. Inbound payments were overwhelmingly USDT on Tron, concentrated in March–May 2026 and peaking in May, precisely matching the kit’s growth curve and a monthly-renewal model.
On the outflow side, the cluster consolidated and cashed out through mainstream centralized exchanges – a single primary USDT consolidation wallet alone routed roughly $128K off-chain – and a meaningful share of inflows traced to a flagged money-laundering service, situating Kali365’s proceeds within a known illicit-finance network. Notably, the operator’s longest-lived Bitcoin cash-out address shows ~1.3 BTC (comfortably six figures) moving through it since 2024, predating Kali365 itself, a marker of the broader, longer-running fraud income that sits on top of the subscription business.
None of these figures include deposit addresses presumably shared in private customer DMs, nor the proceeds of the actor’s own hands-on phishing and Business Email Compromise (BEC), so all of the above should be read as a floor.
Most importantly, Kali365’s affiliates are not loyal to any single kit. The same actors run Kali365 side-by-side with rival PhaaS panels – Tycoon 2FA, Kratos, Nova, and generic AiTM/”Microsoft” kits – often in parallel. In practice, an affiliate treats these kits as interchangeable tools in one workflow: whichever panel best fits the target, be it AiTM cookie theft, OAuth device-code, or straight credential capture, feeds the same operator’s pipeline and the same downstream fraud (BEC, mailbox monetization).
This ecosystem behaves less like a set of isolated buyers and more like a loose collective: reseller sub-tiers (a single subscriber reselling access to a dozen-plus of their own sub-clients), shared, kit-provided lure infrastructure (e.g., Cloudflare Workers), referral programs, and pooled results pipelines; structurally similar to the way “traffer” teams band together to share infrastructure, access, and proceeds.
Final takeaway
The Kali365 shutdown announcement bought the operators a news cycle and cost them nothing. Captures kept landing, the panel kept its user-agent, the wallets kept consolidating, and the only thing that really changed was the paint job.
What persists following this faux retirement is the capability and the people running it. The same affiliates rotate between Kali365, Tycoon, and whatever launches next, feeding the same BEC pipeline regardless of the logo on the panel or username of the person selling it.
Because Kali365 steals session tokens that persist independently of credentials, password resets are ineffective for remediation. Effective response requires explicit session revocation, token invalidation, and MFA re-enrollment. Teams that prioritize visibility into exposed device code grants and anomalous token activity over simple password resets have a better chance of preventing and mitigating these threats.
SpyCloud helps enterprises worldwide protect billions of accounts and stop identity-driven attacks before they start. To see insights on your organization’s exposed data, check your exposure now.
FAQs
Kali365 is a Phishing-as-a-Service platform distributed through Telegram that targets Microsoft 365 accounts using device-code phishing and adversary-in-the-middle (AiTM) techniques to steal OAuth refresh tokens and session cookies, bypassing MFA without requiring the victim’s password.
Kali365 uses two methods: device-code phishing directs victims to Microsoft’s real login page where they complete genuine MFA while the attacker receives long-lived OAuth tokens, and AiTM cookie theft uses a reverse-proxy to harvest authenticated session cookies as victims log into the real Microsoft site.
Branded Kali365 activity appeared in mid-February, 2026, roughly six weeks before the FBI’s stated “first observed April 2026” date, with the kit rapidly scaling to 300-500 daily device-code phishing captures by late March.
No, the May 21, 2026 shutdown announcement was theater – capture activity continued daily afterward with the same infrastructure, user-agent (kali365-live/1.0.0), operators, and payment wallets, representing a rebrand to “Octopus” rather than a genuine cessation of operations.
Victims skew toward small and mid-sized businesses in construction, manufacturing, professional services, healthcare, and energy sectors, with 55-60% located in the United States, followed by Australia (9%), India (8%), and Canada, matching the classic invoice and business email compromise target profile.
Based on the $250/30-day subscription model and approximately 500 active affiliates by May 2026, operators earned an estimated $200,000–$350,000 in subscription revenue alone, corroborated by blockchain analysis of their Bitcoin and USDT payment wallets.
The kali365-live Electron app is a desktop tool (user-agent: kali365-live/1.0.0) that loads stolen session cookies and OAuth tokens to provide one-click access to victims’ real Outlook, OneDrive, SharePoint, and admin portals through silent single sign-on.
Ghost mode automatically deletes MFA notifications, password-change emails, and sign-in warnings from the victim’s mailbox before they can see them, allowing attackers to maintain persistent access without alerting the compromised user.
When Microsoft withheld refresh tokens for the Office client in late March 2026 as a Storm-2372 countermeasure, Kali365 operators publicly acknowledged the change and claimed to have bypassed the restrictions within days, tuning OAuth scopes to maintain token longevity.
Kali365 steals session cookies and OAuth refresh tokens rather than passwords – these artifacts persist independently of password changes and require explicit session revocation, token invalidation, and MFA re-enrollment to fully remediate the compromise.