loading . . . Kratos PhaaS Attacking Microsoft 365 Users Across the US, Europe to Steal Credentials Kratos is a phishing-as-a-service operation built to steal Microsoft 365 credentials. It is targeting organizations across the United States, Europe, and other regions by using believable document, invoice, and file-sharing lures that lead victims to fake login pages.
The campaign puts a wide range of organizations at risk, including small businesses, law firms, schools, industrial firms, and public institutions.
A compromised Microsoft 365 account can expose email, SharePoint files, OneDrive data, payment conversations, and contacts that attackers may exploit for fraud.
Analysts at ANY.RUN identified three Kratos generations and linked the operation to more than 1,600 sandbox sessions across its newer versions.
ANY.RUN said in a report shared with Cyber Security News (CSN) that the kit has been visible since January 2026, while its operator panel appears to have been active since September 2025.
The service is designed to make phishing deployment easier for affiliates. Its panel reportedly allows operators to set up phishing domains, configure stolen-data delivery, restrict campaigns by geography, and select anti-bot checks that make automated inspection more difficult.
Kratos PhaaS Attacking Microsoft 365 Users
Kratos usually starts with an email that claims a document has been shared, an invoice needs review, or a DocuSign action is waiting.
In 114 observed sessions, the malicious email had already passed through corporate email filters or secure gateways, showing why familiar-looking Microsoft 365 phishing messages still pose a serious risk.
Victims are often routed through trusted services before reaching the credential-stealing page.
Phishing email targeting company employees (Source – Any.Run)
SharePoint and OneDrive were the main delivery paths, but attackers also used Microsoft Forms, Canva, Tilda, systeme.io, and legitimate file-sharing services to make the chain appear less suspicious.
Before displaying its fake sign-in page, Kratos commonly presents a Cloudflare Turnstile verification screen. This step can help attackers filter out scanners and automated analysis tools, mirroring tactics seen in other anti-bot phishing operations .
The phishing page then imitates a Microsoft login window and commonly shows an animated envelope over a blurred document or invoice.
The browser tab is often titled “Authentication,” while the page displays a “Loading in progress” message before asking the victim to enter credentials.
Kratos phishing attack chain (Source – Any.Run)
Once submitted, credentials are sent to a server-side collection script. Some sessions also created WebSocket connections, which may indicate live credential relaying or an attacker-in-the-middle attempt, although researchers stressed that a WebSocket connection alone is not proof that a session was stolen.
Detection and Response
Kratos has evolved from a V0 “Secure File Access” lure into V1 and V2 pages that more closely imitate Microsoft sign-in screens. The newer versions use different page assets and collection routines, but shared domains and identical files connect them to the same broader operation.
The V1 pairing of barr.svg and lg.svg is the strongest known fingerprint. The files appeared together in 1,397 sessions and produced 90 percent recall with a false-positive rate close to zero in the researchers’ testing, making the pairing useful for threat hunts and SIEM detections.
Security teams should correlate asset requests, phishing-page behavior, credential collection endpoints, and delivery paths instead of relying on one weak signal. This matters because attackers frequently rotate domains, while recognizable kit components can remain stable across campaigns.
Fake Microsoft Sign In window (Source – Any.Run)
Defenders should block disposable attacker-controlled domains, but review shared parent domains before blocking them because legitimate content may also be hosted there.
Compromised websites should be reported for takedown, while broad cloud networks and Cloudflare infrastructure should be monitored rather than blocked wholesale.
For basic credential harvesting, responders should reset passwords and verify multifactor authentication settings.
For suspected session theft or AiTM phishing , teams should revoke active sessions and refresh tokens, inspect mailbox rules, and investigate unfamiliar sign-ins, since a password reset alone may not remove an attacker.
Indicators of Compromise (IoCs):-
Type Indicator Description File assets assets/img/barr.svg , assets/img/lg.svg , ani.gif , res.css , styles.css Kratos V1 page assets and detection fingerprints File assets dsa.svg , sid.gif , imag.jpg , main.js Kratos V2 page assets Exfiltration endpoint PTTSOftmini.php , next.php , nex.php , n3xt.php , officerseur.php , save.php Scripts used to collect submitted credentials Domain dwbud.vilaribit.com Early V0 PTTSOft-associated domain IP address 41.128.0.142 Operator infrastructure IP address, Egypt Domains abal.my , starwellmedia.com , aabiz.de , aspireglobal.ltd , buenne.de , dufllot.sbs , enerdizerandtron.de , espaciocf.de Kratos-associated infrastructure domains Domains ihrsupportcenter.de , ilersls.org , aaalen.de , rundwasser.de , smartcontrolengineer.com , sonnenbrillenspot.de , trisrnareprjdocz.com Kratos-associated infrastructure domains SHA-256 c447e75f1029ed7a5882add16bcd13ad44be3bd47c93c830ff39185ebb Shared styles.css hash connecting V1 and V2 activity
Note: IP addresses and domains are intentionally defanged (e.g., [.] ) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM .
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now .
The post Kratos PhaaS Attacking Microsoft 365 Users Across the US, Europe to Steal Credentials appeared first on Cyber Security News . https://cybersecuritynews.com/kratos-phaas-attacking-microsoft-365-users/