Skip to content

Observed infrastructure

Last seven days

First activity
Jul 13, 2026
Last activity
Jul 18, 2026
Feed role
Distribution
Host form
2 IP / 9 hostnames

Leading locations

  • US7
  • DE1
  • FR1

Leading providers

  • Cloudflare, Inc.6
  • Tencent Building, Kejizhongyi Avenue2
  • Contabo GmbH1

Infrastructure traits

  • Hosting 9
  • Anycast 6
  • Proxy 1

Reported operators

Threat actors

1 named in public reporting
Storm-2372

What I discovered was that this was a fairly new PhaaS kit known as Kali365. Similar to our reporting on EvilTokens earlier this year, this phishing kit uses the device authentication code flow to trick users into letting them into environments, and keeping access even if MFA is used and passwords are changed post-compromise.

MITRE ATT&CK

Kali365 in ATT&CK

19 distinct techniques

Reporting

Research mentioning Kali365

Jul 14
ReliaQuest

Threat Spotlight: The Jalisco Toolkit and AI-Powered Phishing Surge

A growing ecosystem of AI-powered PhaaS kits, including EvilTokens and "Kali365," is enabling threat actors of any skill level to launch device code phishing campaigns at scale.

Jul 13
The Hacker News

Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft

The email security company said the PhaaS kit is best understood as similar to the Kali365 (aka Octopi365 and Freedom365) and Sneaky 2FA ecosystem.

Jul 9
Bleeping Computer

New Forg365 phishing platform uses AI to target Microsoft 365 accounts

Researchers at ZeroBEC email security company say that many of the features in Forg365 are present in other infamous PhaaS platforms such as Kali365 and Sneaky2FA, although they could not establish a connection.

Jun 16
Online Threat Alerts

Microsoft 365 Scam and Kali365 Toolkit Hack

The Federal Bureau of Investigation (FBI) has issued an urgent warning regarding a widespread Microsoft 365 phishing scam driven by a malicious hacking toolkit called "Kali365".

Jun 11
Huntress

Inside Kali365, a Device Code Phishing Ecosystem | Huntress

What I discovered was that this was a fairly new PhaaS kit known as Kali365. Similar to our reporting on EvilTokens earlier this year, this phishing kit uses the device authentication code flow to trick users into letting them into environments, and keeping access even if MFA is used and passwords are changed post-compromise.

May 29
Zdnet

ZD Tech : Tout ce qu'il faut savoir sur Kali365, l'outil vendu su ...

Depuis le mois d'avril dernier, une plateforme nommée Kali365 fait des ravages dans les entreprises européennes. C'est un service vendu sur Telegram pour seulement deux cent cinquante dollars par mois. ... Et bien Kali365 contourne complètement cet obstacle. L'outil capture ce que l'on appelle le token de session.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.