Back to Intelligence

Kratos PhaaS Microsoft 365 Credential Theft: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
July 18, 2026
5 min read

Threat Summary

Recent intelligence from the AlienVault OTX community indicates the active deployment of Kratos, a mature Phishing-as-a-Service (PhaaS) platform, specifically targeting Microsoft 365 users. The campaign has shown significant reach across the United States and multiple European nations, including Austria, Belgium, France, Germany, Italy, Norway, Portugal, Slovenia, Spain, and Sweden.

The Kratos platform distinguishes itself by offering attackers a robust toolkit to bypass traditional defenses. It utilizes "trusted" platforms for distribution and integrates anti-bot verification mechanisms to evade automated security scanners and sandbox analysis. Researchers have identified three distinct generations of the kit, with intelligence tracing over 1,484 previously unattributed detonations. This high volume of activity suggests a well-funded, organized operation providing high-yield capabilities to lower-tier threat actors via a service model.

The primary objective of this campaign is initial access via credential harvesting. Once valid credentials are obtained, actors likely perform account takeovers (ATO), enabling data exfiltration, lateral movement, or financial fraud within the compromised Microsoft 365 tenant.

Threat Actor / Malware Profile

Name: Kratos (PhaaS Platform) Type: Phishing-as-a-Service

Distribution Method

Kratos is distributed primarily via large-scale phishing campaigns. Unlike static kits, Kratos is a service, meaning the infrastructure rotates frequently. Attackers send emails containing links to the Kratos landing pages, often hosted on compromised legitimate domains (indicated by the mix of German and generic TLDs in the IOCs) to bypass reputation-based filtering.

Payload Behavior

While Kratos itself is a web-based attack kit (HTML/JS), its payload is the deception of the user:

  • Credential Harvesting: Mimics the official Microsoft 365 login interface with high fidelity.
  • 2FA Bypass: Advanced PhaaS kits often include a reverse-proxy component (often called a "man-in-the-middle" proxy) to intercept session cookies and multi-factor authentication (MFA) tokens in real-time, allowing the attacker to bypass MFA protections.

C2 Communication

The listed domains act as the interface for data exfiltration. When a victim enters credentials, the data is transmitted immediately to the actor's backend via POST requests to the phishing infrastructure.

Persistence Mechanism

PhaaS does not persist on the host machine like traditional malware. Persistence is achieved by the threat actor maintaining valid session cookies or resetting the victim's password to lock them out, effectively "owning" the account identity rather than the endpoint.

Anti-Analysis Techniques

  • Anti-Bot Verification: The kit includes scripts to detect if the visitor is a security bot, crawler, or sandbox environment. If detected, it presents a benign page or refuses to load the phishing form, preventing automated analysis systems from flagging the site.
  • Infrastructure Rotation: The platform likely automates the creation of new subdomains and domains to stay ahead of blocklists.

IOC Analysis

The provided Pulse data highlights 8 domains and 1 hostname associated with the Kratos infrastructure.

  • Indicator Types: Primarily domain and hostname. These represent the landing pages for the phishing kits.
  • Operational Guidance:
    • DNS Filtering: SOC teams must immediately block resolution of these domains at the DNS level (RPZ).
    • Web Proxy: Block HTTP/HTTPS connections to these FQDNs.
    • Hunting: Search firewall and proxy logs for any successful connections to these domains over the last 30 days to identify potential victims within the organization.
  • Tooling: SIEM solutions (Splunk, Sentinel) ingesting firewall or proxy logs can correlate these IOCs. Threat intelligence platforms (TIPs) should be used to auto-expand these domains to related IP infrastructure.

Detection Engineering

YAML
---
title: Kratos PhaaS - Suspicious Domain Connection
id: c44b8c89-2026-4045-9abc-1b2c3d4e5f6a
status: stable
description: Detects network connections to domains associated with the Kratos PhaaS campaign targeting Microsoft 365.
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/07/18
modified: 2026/07/18
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - buenne.de
            - enerdizerandtron.de
            - ihrsupportcenter.de
            - rundwasser.de
            - sonnenbrillenspot.de
            - dwbud.vilaribit.com
            - abal.my
            - starwellmedia.com
    condition: selection
falsepositives:
    - Unknown
level: high
---
title: Kratos PhaaS - DNS Query for Phishing Infrastructure
id: d55d9d90-2026-5056-9abc-2c3d4e5f6a7b
status: stable
description: Detects DNS queries for domains known to be used by the Kratos PhaaS operation.
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/07/18
modified: 2026/07/18
logsource:
    category: dns
    product: windows
detection:
    selection:
        QueryName|contains:
            - buenne.de
            - enerdizerandtron.de
            - ihrsupportcenter.de
            - rundwasser.de
            - sonnenbrillenspot.de
            - dwbud.vilaribit.com
            - abal.my
            - starwellmedia.com
    condition: selection
falsepositives:
    - Unknown
level: medium


kql
// Hunt for Kratos PhaaS Network Connections
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "buenne.de", 
    "enerdizerandtron.de", 
    "ihrsupportcenter.de", 
    "rundwasser.de", 
    "sonnenbrillenspot.de", 
    "dwbud.vilaribit.com", 
    "abal.my", 
    "starwellmedia.com"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| extend AlertContext = pack("Timestamp", Timestamp, "Device", DeviceName, "Url", RemoteUrl)


powershell
# Kratos PhaaS IOC Hunter
# Checks DNS resolution of malicious domains on the local endpoint

$iocs = @(
    "buenne.de",
    "enerdizerandtron.de",
    "ihrsupportcenter.de",
    "rundwasser.de",
    "sonnenbrillenspot.de",
    "dwbud.vilaribit.com",
    "abal.my",
    "starwellmedia.com"
)

Write-Host "[+] Initiating Kratos PhaaS IOC Sweep..." -ForegroundColor Cyan

foreach ($ioc in $iocs) {
    try {
        $result = Resolve-DnsName -Name $ioc -ErrorAction Stop | Select-Object -ExpandProperty IPAddress -First 1
        if ($result) {
            Write-Host "[THREAT DETECTED] Resolution Successful: $ioc -> $result" -ForegroundColor Red
            # In a real environment, log this to a SIEM or central repository
        }
    }
    catch {
        Write-Host "[SAFE] No resolution found: $ioc" -ForegroundColor Green
    }
}

Response Priorities

  • Immediate: Block all listed domains and hostnames at the firewall, proxy, and DNS levels. If IOC matches are found in logs, isolate affected endpoints and force a password reset for impacted accounts (revoke sessions).
  • 24h: Conduct a thorough hunt for successful logins (M365 Unified Audit Log) originating from anomalous IPs or locations corresponding to the time of the IOC detection. Enable MFA for all users if not already active.
  • 1 Week: Review and harden email filtering rules to block lookalike domains and typical Kratos subject lines. Implement security awareness training focused on identifying sophisticated Microsoft 365 login pages.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialskratos-phaasmicrosoft-365credential-theftphishingaccount-takeover

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.