Phishing‑as‑a‑Service Kit Kali365 Expands to AWS, Okta, and Russian Platforms, Raising Credential‑Theft Risk
What Happened — The FBI‑flagged phishing‑as‑a‑service (PhaaS) kit known as Kali365, originally built to harvest Microsoft 365 credentials, has been upgraded to target Amazon Web Services, Okta identity platforms, and several high‑profile Russian cloud services. The kit leverages “device‑code” phishing, a technique that tricks users into authorizing malicious applications via OAuth‑style consent screens.
Why It Matters for TPRM —
- Expands the attack surface of any third‑party vendor that integrates with AWS or Okta, increasing the likelihood of credential compromise.
- Device‑code phishing bypasses traditional email‑filter defenses, making detection harder for downstream customers.
- The service’s open‑sale model means the same tooling can be repurposed against multiple supply‑chain partners, amplifying systemic risk.
Who Is Affected — SaaS providers, cloud infrastructure hosts, identity‑as‑a‑service vendors, and any organization that relies on federated authentication with Microsoft 365, AWS, or Okta.
Recommended Actions —
- Review all third‑party contracts that involve AWS, Okta, or Microsoft 365 integrations for robust MFA and conditional access policies.
- Validate that vendors enforce device‑code flow restrictions and monitor for anomalous OAuth consent events.
- Incorporate phishing‑kit intelligence into security awareness training and phishing‑simulation programs.
Technical Notes — The kit uses OAuth device‑code grant flows to present legitimate‑looking consent dialogs, tricking users into granting attacker‑controlled client IDs access to cloud resources. No specific CVE is cited; the threat is operational rather than a software vulnerability. Data at risk includes privileged cloud credentials, API keys, and downstream customer data accessed via compromised accounts. Source: Dark Reading