​​Kratos PhaaS Targets US and EU: How to Reduce Microsoft 365 Account Takeover Risk​

​​Kratos PhaaS Targets US and EU: How to Reduce Microsoft 365 Account Takeover Risk​
Kratos is a mature Phishing-as-a-Service operation that targets Microsoft 365 users across the US, Europe, and more than 20 countries by using trusted platforms, anti-bot checks, and convincing fake login pages. ANY.RUN researchers mapped three generations of the kit, uncovered 1,484 previously unattributed detonations, and provided fingerprints, exfiltration indicators, and response guidance to help defenders detect and contain activity faster. #Kratos #Microsoft365 #ANYRUN

Keypoints

  • Kratos is a subscription-based Phishing-as-a-Service platform focused on stealing Microsoft 365 credentials.
  • ANY.RUN identified 1,628 sandbox sessions across the main Kratos generations, including 1,484 previously unattributed detonations.
  • The campaign has victim activity across more than 20 countries, with strong concentration in the US, Spain, and Southern Europe.
  • The most reliable hunting fingerprint is the paired asset pattern barr.svg and lg.svg, which delivers high recall with near-zero false positives.
  • Kratos evolved through three generations: V0, V1, and V2, each with different exfiltration code and page assets.
  • The operator panel supports fast phishing deployment, anti-bot selection, geographic restrictions, and Telegram or email-based data delivery.
  • Defenders are advised to use family-specific attribution, browser-level analysis, and targeted response actions rather than broad blocking.

MITRE Techniques

  • [T1566.002 ] Phishing: Spearphishing Link – Victims were lured through email links to legitimate services and then redirected to fake Microsoft login pages. (‘Phishing email → often passes through corporate email filters’ and ‘a link to a legitimate service’)
  • [T1583.001 ] Acquire Infrastructure: Domains – The operation used disposable attacker-controlled domains and wildcard domains to host phishing pages. (‘Newly registered, randomly named domains on low-cost TLDs’ and ‘Wildcard domains such as klenpare.com, uvarnix.cfd, and xavon.sbs’)
  • [T1090.001 ] Proxy: Internal Proxy – The kit used reverse-proxy-like behavior and session relaying consistent with AiTM activity. (‘Node.js redirect server with anti-bot’ and ‘possible adversary-in-the-middle activity or live credential relaying’)
  • [T1110.001 ] Brute Force: Password Guessing – The page limited users to three password attempts, indicating automated credential checking and controlled submission handling. (‘The victim is given only three attempts to enter a password’)
  • [T1056.002 ] Input Capture: GUI Input Capture – The fake Microsoft 365 page collected entered credentials through a login form. (‘Before the login form appears’ and ‘sending the di and pr values’)
  • [T1027 ] Obfuscated Files or Information – V2 used obfuscated code to conceal its exfiltration logic. (‘code is obfuscated’ and ‘Deobfuscated main.js’)
  • [T1132.001 ] Data Encoding: Standard Encoding – Stolen data was packaged as JSON before delivery to the attacker. (‘Stolen data is packaged as JSON and sent to the attacker’s Telegram channel’)
  • [T1095 ] Non-Application Layer Protocol – Some sessions established WebSocket connections as part of the phishing workflow. (‘Some sessions also establish a WebSocket connection’)
  • [T1568.003 ] Dynamic Resolution: DGA with Customized Algorithm – The infrastructure included DGA-style disposable domains and rotating wildcard subdomains. (‘DGA domains should be blocked’ and ‘rotate through randomly generated subdomains’)
  • [T1071.001 ] Application Layer Protocol: Web Protocols – The kit used web traffic and HTTP POST requests to exfiltration endpoints. (‘POST request to a PHP endpoint’ and ‘POST requests to endpoints such as next.php or save.php’)

Indicators of Compromise

  • [Domains ] Early and active Kratos infrastructure and hosted phishing pages – dwbud.vilaribit.com, ra zen[.]online, theoceanac[.]online, jumpast[.]es, and enerdizerandtron[.]de
  • [IP Address ] Operator-side infrastructure reference – 41.128.0.142
  • [File Hashes ] Kratos asset fingerprints used for attribution – cd231b895bbcd7154b81df1e065bf02f1ec667b920c8b6d23308cd509833b5ea, 949895df17148c5ea29f190d2619a14b3ec648425b9cc3c5a1423553c16f3898, and other 2 hashes
  • [File Names ] Distinctive phishing assets and exfiltration files – barr.svg, lg.svg, dsa.svg, sid.gif, imag.jpg, and main.js
  • [Exfiltration Endpoints ] Credential-stealing submission paths used by different generations – /next.php, /save.php, /PTT/SOft/mini.php, and /officers*eur.php
  • [URL Paths ] Family-specific page structure and lures – /assets/img/barr.svg, /assets/img/lg.svg, /PTT/SOft/, and /factura/


Read more: https://any.run/cybersecurity-blog/kratos-phaas-account-takeover/