VYPR
researchPublished Jul 16, 2026· 1 source

Kratos PhaaS Targets Microsoft 365 Users with Sophisticated Credential Theft Campaigns

The Kratos PhaaS operation is actively targeting Microsoft 365 users across the US and Europe with advanced phishing techniques designed to steal credentials and sensitive data.

A sophisticated phishing-as-a-service (PhaaS) operation known as Kratos is actively targeting Microsoft 365 users across the United States, Europe, and other regions. The campaign employs highly believable lures, such as fake documents, invoices, and file-sharing notifications, to trick victims into visiting malicious login pages. This operation poses a significant risk to a wide array of organizations, including small businesses, law firms, educational institutions, industrial firms, and public sector entities.

Compromised Microsoft 365 accounts can lead to the exposure of critical data, including emails, SharePoint files, OneDrive documents, sensitive payment conversations, and contact lists, which attackers can then leverage for further fraudulent activities. Security researchers have identified at least three distinct generations of the Kratos operation, with evidence suggesting its operator panel has been active since September 2025 and the kit itself visible since January 2026. Analysis of sandbox sessions indicates a substantial scale of activity, with over 1,600 sessions linked to its newer versions.

The Kratos service is engineered to simplify phishing deployment for its affiliates. Its operator panel reportedly offers features such as the ability to set up custom phishing domains, configure the delivery of stolen data, restrict campaigns geographically, and implement various anti-bot checks to hinder automated analysis. This makes it a potent tool for less technically adept threat actors looking to conduct large-scale credential harvesting operations.

The typical attack chain begins with a phishing email that appears legitimate, claiming a document has been shared, an invoice requires attention, or a DocuSign action is pending. Worryingly, many of these malicious emails have been observed bypassing corporate email filters and secure gateways, highlighting the persistent threat posed by seemingly familiar Microsoft 365 phishing messages.

Attackers often route victims through trusted services before presenting the fake login page. While SharePoint and OneDrive have been common delivery vectors, threat actors have also utilized platforms like Microsoft Forms, Canva, Tilda, systeme.io, and legitimate file-sharing services to add layers of apparent legitimacy to the attack chain. A key tactic employed by Kratos is the use of a Cloudflare Turnstile verification screen before displaying the final credential-stealing page. This step is crucial for filtering out automated scanners and analysis tools, a technique also seen in other advanced phishing operations.

The phishing page itself closely imitates a legitimate Microsoft login window, often featuring an animated envelope overlaying a blurred document or invoice. The browser tab is typically labeled "Authentication," and a "Loading in progress" message is displayed before the victim is prompted to enter their credentials. Once submitted, these credentials are sent to a server-side collection script. Some observed sessions also established WebSocket connections, which could indicate live credential relaying or an attacker-in-the-middle (AiTM) attempt, though researchers caution that a WebSocket connection alone is not definitive proof of session theft.

Kratos has demonstrably evolved, moving from earlier "Secure File Access" lures to more convincing V1 and V2 pages that closely mimic Microsoft sign-in screens. These newer versions utilize distinct page assets and collection routines, but shared domains and identical files link them to the same overarching operation. Researchers have identified specific file pairings, such as barr.svg and lg.svg in V1, as strong indicators for threat hunting and detection, appearing together in a significant number of sessions with high recall and low false-positive rates.

To defend against Kratos and similar threats, security teams should focus on correlating various indicators, including asset requests, phishing page behavior, credential collection endpoints, and delivery paths, rather than relying on single weak signals. Blocking disposable attacker-controlled domains is essential, but caution is advised when blocking shared parent domains due to potential legitimate content. For basic credential harvesting, resetting passwords and verifying multi-factor authentication (MFA) settings are crucial. In cases of suspected session theft or AiTM phishing, revoking active sessions, refreshing tokens, inspecting mailbox rules, and investigating unfamiliar sign-ins are necessary steps, as a password reset alone may not fully remove an attacker's access.

Synthesized by Vypr AI