Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: phishing-as-a-service (5 articles)Clear

ARToken phishing service steals Microsoft 365 tokens and survives password resets

Cisco Talos detailed ARToken, a phishing-as-a-service platform tied to the EvilTokens operation that is built to compromise Microsoft 365. It abuses Microsoft's device-code sign-in flow to capture authentication tokens rather than passwords, bypassing multi-factor authentication, then upgrades to a Primary Refresh Token so access survives even after the victim resets their password. Its panel exposed more than eighty API endpoints for mailbox takeover, SharePoint and OneDrive theft, and automated business email compromise, including hidden inbox rules and multi-mailbox monitoring. The lures are targeted, abusing real vendor invoice relationships and pointing to look-alike SharePoint tenants on legitimate Microsoft infrastructure so the emails are harder to flag.

Check
Hunt for unexpected device-code authentication prompts during normal work, unusual device registrations, and new inbox forwarding or hiding rules, and audit which accounts hold Primary Refresh Tokens or long-lived sessions.
Affected
Microsoft 365 organizations, especially finance and accounts-payable staff hit by vendor-invoice lures; captured tokens bypass MFA and Primary Refresh Token persistence keeps attackers in even after a password reset.
Fix
Restrict or monitor the device-code authentication flow with Conditional Access, revoke sessions and Primary Refresh Tokens on suspicion, enforce phishing-resistant methods like passkeys, and train staff to treat unexpected device-code prompts warily.

Bluekit phishing service adds browser-in-the-middle to steal logins and sessions

The Bluekit phishing-as-a-service platform has added a browser-in-the-middle technique that streams a real login page's contents to the victim over a WebSocket, capturing not just passwords but session cookies that let attackers bypass multi-factor authentication. Netcraft reports nearly 70 new Bluekit hostnames in the past week. The kit, which markets dozens of templates for services like Outlook, Gmail, GitHub, and crypto wallets and includes an AI assistant built on a safety-stripped open-weight model, layers on heavy evasion: randomized page styling to defeat screenshot detection, frequently rotating obfuscated code, custom CAPTCHAs, browser fingerprinting, and detection of proxies and security crawlers. Operators can watch victims in real time as they log in.

Check
Hunt for the Bluekit signals Netcraft lists, including randomized CSS filters on top-level elements, periodically rotated obfuscated JavaScript, and WebSocket traffic carrying encrypted data on login pages, across email and proxy logs.
Affected
Users of widely targeted services like Outlook, Gmail, GitHub, and crypto wallets; stolen session cookies let attackers replay authenticated sessions and bypass multi-factor authentication entirely.
Fix
Move to phishing-resistant, hardware-backed authentication like passkeys or FIDO2 keys, which resist session-theft phishing, shorten session lifetimes, monitor for anomalous session reuse, and train staff on login-page verification.

Google sues Chinese network for weaponizing Gemini AI in smishing scams

Google has filed suit against a Chinese cybercrime network it says abused its Gemini AI to mass-produce phishing text messages and fake websites targeting Americans. The group runs a phishing-as-a-service kit called Outsider and used Gemini to generate fraudulent pages and large smishing campaigns. The texts impersonate trusted brands, warning of "brokerage account issues" or dangling carrier "rewards," and link to lookalike sites that harvest personal and financial details. Google says the lawsuit aims to dismantle the network's infrastructure. The case underscores how criminals are folding mainstream AI tools into industrialized phishing operations.

Check
Remind staff and yourself to treat unexpected texts about account problems or rewards as suspect, and review mobile-threat and link-protection telemetry for spikes in smishing referencing banks or carriers.
Affected
Mobile users, especially in the US, targeted by SMS phishing impersonating banks, brokerages, and phone carriers via the Outsider phishing-as-a-service kit; financial and personal data are the goal.
Fix
Never click links in unsolicited texts; navigate to institutions directly. Enable carrier and device spam filtering, report smishing, and use phishing-resistant MFA so stolen passwords alone cannot unlock accounts.

FBI-flagged Kali365 phishing-as-a-service expands reach - Microsoft 365 OAuth device-code consent abuse grows beyond April campaigns

Dark Reading reports that Kali365 - the phishing-as-a-service platform the FBI flagged for fueling Microsoft 365 attacks in April - is expanding its reach. Rather than stealing passwords, Kali365 captures OAuth access and refresh tokens by tricking victims into completing attacker-initiated Microsoft device-login requests, granting immediate mailbox access. The service generates branded lures impersonating Adobe, DocuSign, and SharePoint in many languages and sells in tiers from $250 for 30 days to $2,000 annually. Its continued growth signals that OAuth device-code consent phishing remains a high-yield technique, and that defenders should prioritize blocking device-code flows for non-mobile platforms and enforcing phishing-resistant MFA across Microsoft 365 tenants.

Check
Search Microsoft 365 logs for unfamiliar device-login completions and OAuth consent grants. Hunt for inbox rules hiding security alerts. Block Adobe/DocuSign/SharePoint-themed device-code lures.
Affected
Microsoft 365 tenants where users can complete attacker-initiated device-login flows. Kali365's branded multi-language lures and tiered pricing keep OAuth device-code phishing scalable and growing.
Fix
Block device-code flow in Conditional Access for non-mobile platforms. Enforce phishing-resistant FIDO2 MFA. Train users to verify device-login codes. Audit OAuth-granted apps regularly.

FBI warns of Kali365 phishing-as-a-service: OAuth device-code consent abuse against Microsoft 365 since April, $250-$2,000/year

The FBI has issued a warning about Kali365, a phishing-as-a-service platform that fueled large Microsoft 365 attacks in April. Instead of stealing passwords, Kali365 customers trigger Microsoft device-login requests and trick victims into completing the authorization, capturing OAuth access and refresh tokens that grant immediate mailbox access. Arctic Wolf, which infiltrated the system, says Kali365 sells in three tiers from $250 for 30 days to $2,000 for the year and generates branded phishing lures impersonating Adobe, DocuSign, and SharePoint in dozens of languages. Threat actors set malicious inbox rules to suppress security notifications and extend dwell time.

Check
Search Microsoft 365 audit logs for unfamiliar device-login completions and OAuth consent grants since April 1. Hunt for inbox rules that auto-delete or hide security-team email addresses.
Affected
Any Microsoft 365 tenant where users can complete device-login flows initiated by an attacker. Adobe, DocuSign, and SharePoint-themed lures are the primary social engineering vector.
Fix
Block device-code flow in Conditional Access for non-mobile platforms. Enforce phishing-resistant FIDO2 MFA. Train users to verify the device-login codes they approve. Audit OAuth-granted apps quarterly.