From Token Bingo to MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, and Other Services

The Kali365 phishing-as-a-service operator has rapidly expanded its infrastructure and tactics, now leveraging Microsoft’s OAuth device authorization flow and targeting both Western enterprise and Russian consumer platforms—including a major campaign against MAX Messenger—to bypass MFA and facilitate large-scale account takeovers across more than 120 malicious hosts.