{"id":22043,"date":"2026-07-14T10:06:03","date_gmt":"2026-07-14T10:06:03","guid":{"rendered":"https:\/\/any.run\/cybersecurity-blog\/?p=22043"},"modified":"2026-07-14T14:37:54","modified_gmt":"2026-07-14T14:37:54","slug":"kratos-phaas-account-takeover","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/kratos-phaas-account-takeover\/","title":{"rendered":"\u200b\u200bKratos PhaaS Targets US and EU: How to Reduce Microsoft 365 Account Takeover Risk\u200b"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Kratos is a mature Phishing-as-a-Service operation targeting Microsoft 365 users across the US, Europe, and other regions. By combining trusted platforms, anti-bot checks, and convincing login pages, ithelps attackers steal credentials while delaying detection and response. For security leaders, that increases the risk of account takeover, fraud, data exposure, and higher incident response costs.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ANY.RUN researchers traced three generations of the kit, uncovered 1,484 previously unattributed detonations, and mapped its infrastructure, operator panel, and victim patterns. This article gives security teams practical fingerprints, exfiltration indicators, SIEM scoring rules, and response guidance to reduce exposure, speed up investigations, and make faster decisions when Kratos activity appears.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Takeaways<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Kratos is a turnkey phishing kit<\/strong> built to steal Microsoft 365 credentials and sold through a subscription model. Operator-side intelligence, including its admin panel and automated deployment features, shows that it operates as a full Phishing-as-a-Service (PhaaS) platform.<\/li>\n\n\n\n<li><strong>ANY.RUN researchers&nbsp;identified&nbsp;1,628&nbsp;<\/strong><a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kratos-phaas-account-takeover&amp;utm_term=140726&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>sandbox&nbsp;sessions<\/strong><\/a><strong>&nbsp;across the two main Kratos generations.<\/strong>&nbsp;Only 156 had been manually tagged as Kratos, while 1,484 had not yet been attributed to the family. An earlier V0 branch adds another nine sessions.&nbsp;&nbsp;<\/li>\n\n\n\n<li><strong>Kratos targets organizations across more than 20 countries, including the US.<\/strong> This research identified 148 suspected victim organizations, with a particularly strong concentration in US, Spain and Southern Europe.<\/li>\n\n\n\n<li><strong>ANY.RUN was already detecting the malicious activity&nbsp;through generic phishing-kit signatures.<\/strong>&nbsp;The new technical fingerprint added family-level attribution, making it possible to track&nbsp;Kratos&nbsp;activity, run retrospective hunts, and build a clearer view of the wider operation.&nbsp;<\/li>\n\n\n\n<li><strong>Two page assets became the key hunting indicator:<\/strong> barr.svg and lg.svg. They almost always appear together and are rarely seen separately. This single fingerprint provides 90% recall with a false-positive rate close to zero.<\/li>\n\n\n\n<li><strong>Kratos has evolved through three page generations:<\/strong> V0, V1, and V2. Each uses different exfiltration code, and the kit continues to develop.<\/li>\n\n\n\n<li><strong>Kratos has been visible in the ANY.RUN sandbox since January 2026.<\/strong> External data suggests that its operator panel has been active since September 2025.<\/li>\n\n\n\n<li><strong>Operator-side OSINT uncovered an active Kratos admin panel.<\/strong> The service allows operators to deploy phishing domains in a few clicks, configure Telegram or email delivery, apply geographic restrictions, and choose between several anti-bot systems.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Victimology: Kratos Targeting US and European Organizations&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft 365 is the main brand impersonated by Kratos. In total, 1,365 sandbox tasks led to login.live.com or microsoftonline.com, while 412 were classified as <strong>\u201cFake Microsoft Authentication Page\u201d<\/strong>incidents.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Previous&nbsp;public&nbsp;research&nbsp;has&nbsp;documented&nbsp;Kratos&nbsp;activity&nbsp;across&nbsp;more&nbsp;than&nbsp;20&nbsp;countries,&nbsp;with&nbsp;around&nbsp;33%&nbsp;of&nbsp;observed&nbsp;targeting&nbsp;linked&nbsp;to&nbsp;the&nbsp;United&nbsp;States.&nbsp;This&nbsp;confirms&nbsp;that&nbsp;the&nbsp;service&nbsp;has&nbsp;a&nbsp;broadinternational&nbsp;reach&nbsp;and&nbsp;poses&nbsp;a&nbsp;direct&nbsp;risk&nbsp;to&nbsp;US&nbsp;organizations.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">TI&nbsp;Lookup&nbsp;query:&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kratos-phaas-account-takeover&amp;utm_term=140726&amp;utm_content=linktolookup#{%22query%22:%22threatName:%5C%22kratos%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>threatName:&#8221;kratos&#8221;<\/strong><\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"494\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-09.44.26-1024x494.png\" alt=\"\" class=\"wp-image-22044\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-09.44.26-1024x494.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-09.44.26-300x145.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-09.44.26-768x370.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-09.44.26-1536x741.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-09.44.26-2048x988.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-09.44.26-370x178.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-09.44.26-270x130.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-09.44.26-740x357.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI&nbsp;Lookup&nbsp;showing&nbsp;all&nbsp;the&nbsp;data&nbsp;related&nbsp;to&nbsp;Kratos&nbsp;attacks&nbsp;for&nbsp;deeper&nbsp;analysis<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">ANY.RUN data adds a more detailed view of activity in Europe. We&nbsp;identified&nbsp;148 suspected victim organizations based on SharePoint tenant names found in phishing lures. The targeting appears opportunistic and spans a wide range of sectors, including SMBs, law firms, schools, polytechnic institutions, industrial organizations, and others.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The strongest concentration in our dataset was in Southern Europe, particularly Spain. This assessment is based on the ccTLDs of suspected victim organizations, the language used on phishing pages, and the brands and services impersonated by attackers.<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-342\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"8\"\n           data-wpID=\"342\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Region\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Sessions\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Spain (.es, .cat, .eus)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        171\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        International TLDs (.com, .org,\u00a0.net)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ~162\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        France\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        31\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Sweden\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        15\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Austria\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        11\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Portugal\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        10\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Italy, Germany, Norway, Slovenia, and Belgium\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        4\u20135 each\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-342'>\ntable#wpdtSimpleTable-342{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-342 td, table.wpdtSimpleTable342 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p class=\"wp-block-paragraph\">This geographic pattern does not suggest that Kratos is limited to Europe. Instead, it indicates that some affiliates represented in the sandbox data appear to specialize in Spain and Southern Europe. Spanish-language tokens found in URL paths, including factura, abogados, and dgt, provide further evidence of this regional focus.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How&nbsp;Kratos&nbsp;Turns&nbsp;Account&nbsp;Compromise&nbsp;into&nbsp;Business Risk&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">A&nbsp;stolen&nbsp;Microsoft 365&nbsp;account&nbsp;can&nbsp;give&nbsp;attackers&nbsp;more&nbsp;than&nbsp;access&nbsp;to&nbsp;one&nbsp;inbox. It&nbsp;can&nbsp;create&nbsp;a&nbsp;trusted&nbsp;route&nbsp;into&nbsp;company&nbsp;data,&nbsp;financial&nbsp;processes,&nbsp;and&nbsp;relationships&nbsp;with&nbsp;employees,&nbsp;customers,&nbsp;and suppliers.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"578\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/1-1024x578.jpeg\" alt=\"\" class=\"wp-image-22045\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/1-1024x578.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/1-300x169.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/1-768x434.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/1-370x209.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/1-270x152.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/1-740x418.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/1.jpeg 1360w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Phishing email targeting&nbsp;company&nbsp;employees<\/em>&nbsp;<\/figcaption><\/figure>\n<\/div>\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Trusted-account&nbsp;abuse:<\/strong>&nbsp;Attackers&nbsp;can&nbsp;impersonate&nbsp;employees&nbsp;and&nbsp;use&nbsp;a&nbsp;legitimate&nbsp;mailbox&nbsp;to&nbsp;make&nbsp;fraudulent&nbsp;requests&nbsp;appear&nbsp;credible.&nbsp;<\/li>\n\n\n\n<li><strong>Financial fraud:<\/strong> Access to invoices and payment conversations can support BEC, payment redirection, and supplier fraud.<\/li>\n\n\n\n<li><strong>Data and partner exposure:<\/strong> Corporate email, SharePoint, and OneDrive may contain sensitive business data and information about third parties.<\/li>\n\n\n\n<li><strong>Longer, costlier response:<\/strong> If attackers gain session access, changing the password alone may not remove them, increasing containment time and recovery costs.<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Detect account compromise before it leads to data exposure.<\/span><br>\nSpeed up investigations and contain Microsoft 365 threats. \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=kratos-phaas-account-takeover&#038;utm_term=140726&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nCut Account Compromise Risk <\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">How Kratos Attack Works: From Phishing Email to Stolen Password<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Kratos&nbsp;rarely&nbsp;targets&nbsp;victims&nbsp;directly. The&nbsp;attack&nbsp;chain&nbsp;typically&nbsp;works&nbsp;as&nbsp;follows:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"709\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/v2-Kratos-Phishing-Attacks-US-and-EU-Companies-2-1024x709.png\" alt=\"\" class=\"wp-image-22046\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/v2-Kratos-Phishing-Attacks-US-and-EU-Companies-2-1024x709.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/v2-Kratos-Phishing-Attacks-US-and-EU-Companies-2-300x208.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/v2-Kratos-Phishing-Attacks-US-and-EU-Companies-2-768x532.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/v2-Kratos-Phishing-Attacks-US-and-EU-Companies-2-1536x1064.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/v2-Kratos-Phishing-Attacks-US-and-EU-Companies-2-2048x1418.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/v2-Kratos-Phishing-Attacks-US-and-EU-Companies-2-370x256.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/v2-Kratos-Phishing-Attacks-US-and-EU-Companies-2-270x187.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/v2-Kratos-Phishing-Attacks-US-and-EU-Companies-2-435x300.png 435w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/v2-Kratos-Phishing-Attacks-US-and-EU-Companies-2-740x512.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Kratos&nbsp;phishing&nbsp;attack&nbsp;chain&nbsp;targeting&nbsp;US&nbsp;and&nbsp;EU&nbsp;companies<\/em>&nbsp;<\/figcaption><\/figure>\n<\/div>\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Phishing email \u2192 often passes through corporate email filters<\/strong> <br>In 114 analysis sessions, the emails had already passed through corporate email filters or secure email gateways before being submitted to the sandbox.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Common&nbsp;subject&nbsp;lines&nbsp;include:&nbsp;<\/p>\n\n\n\n<ul start=\"1\" class=\"wp-block-list\">\n<li>\u201cUser N&nbsp;has&nbsp;shared&nbsp;a&nbsp;document&nbsp;with&nbsp;you\u201d&nbsp;<\/li>\n\n\n\n<li>\u201cSign&nbsp;the&nbsp;document&nbsp;via&nbsp;DocuSign\u201d&nbsp;<\/li>\n\n\n\n<li>\u201cAn&nbsp;invoice&nbsp;has&nbsp;been&nbsp;sent\u201d&nbsp;<\/li>\n<\/ul>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>Trust-building&nbsp;lure: a&nbsp;link&nbsp;to&nbsp;a&nbsp;legitimate&nbsp;service<\/strong>&nbsp;<\/li>\n<\/ol>\n\n\n\n<ul start=\"1\" class=\"wp-block-list\">\n<li>Microsoft SharePoint&nbsp;or&nbsp;OneDrive,&nbsp;the&nbsp;main&nbsp;delivery&nbsp;vector&nbsp;observed&nbsp;in&nbsp;351&nbsp;tasks&nbsp;<\/li>\n\n\n\n<li>Canva,&nbsp;Tilda, systeme.io,&nbsp;and&nbsp;Microsoft&nbsp;Forms&nbsp;used&nbsp;as&nbsp;intermediary&nbsp;pages&nbsp;<\/li>\n\n\n\n<li>Legitimate&nbsp;file-sharing&nbsp;services&nbsp;hosting&nbsp;phishing&nbsp;PDFs&nbsp;<\/li>\n<\/ul>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong>Redirect&nbsp;to&nbsp;a&nbsp;Kratos&nbsp;phishing&nbsp;page<\/strong>&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li><strong>Cloudflare&nbsp;Turnstile&nbsp;verification<\/strong>&nbsp;<br>Victims&nbsp;are&nbsp;asked&nbsp;to&nbsp;prove&nbsp;that&nbsp;they&nbsp;are&nbsp;not&nbsp;bots.&nbsp;This&nbsp;step&nbsp;helps&nbsp;filter&nbsp;out&nbsp;sandboxes&nbsp;and&nbsp;automated&nbsp;scanners.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li><strong>Fake&nbsp;Microsoft 365&nbsp;login&nbsp;page<\/strong>&nbsp;<br>Before&nbsp;the&nbsp;login&nbsp;form&nbsp;appears,&nbsp;the&nbsp;victim&nbsp;sees&nbsp;Kratos\u2019s&nbsp;distinctive&nbsp;animated&nbsp;envelope&nbsp;screen&nbsp;with&nbsp;the&nbsp;message&nbsp;\u201cLoading&nbsp;in&nbsp;progress\u2026\u201d&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"6\" class=\"wp-block-list\">\n<li><strong>Credential&nbsp;theft&nbsp;\u2192 POST&nbsp;request&nbsp;to&nbsp;a PHP&nbsp;endpoint<\/strong>&nbsp;<\/li>\n<\/ol>\n\n\n\n<ul start=\"1\" class=\"wp-block-list\">\n<li>V1:&nbsp;next.php&nbsp;<\/li>\n\n\n\n<li>V2:&nbsp;save.php&nbsp;<\/li>\n\n\n\n<li>V0: \/PTT\/SOft\/mini.php&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Some sessions also establish a WebSocket connection. This may indicate possible adversary-in-the-middle activity or live credential relaying, but a WebSocket connection alone does not prove sessiontheft.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">One visual detail makes Kratos particularly recognizable: before displaying the login form, the page shows an animated envelope with the message <strong>\u201cLoading in progress\u2026\u201d<\/strong> over a blurred invoice ordocument. The browser tab is also almost always titled <strong>Authentication<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These details may seem minor, but together they form a consistent and reliable fingerprint.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/app.any.run\/tasks\/4d72c3ad-972e-4eae-a950-02ff51576637?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kratos-phaas-account-takeover&amp;utm_term=140726&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Check&nbsp;Kratos&nbsp;phishing&nbsp;attack&nbsp;and&nbsp;get&nbsp;relevant IOCs<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-13-at-15.07.17-1024x566.png\" alt=\"\" class=\"wp-image-22047\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-13-at-15.07.17-1024x566.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-13-at-15.07.17-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-13-at-15.07.17-768x424.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-13-at-15.07.17-1536x849.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-13-at-15.07.17-2048x1132.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-13-at-15.07.17-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-13-at-15.07.17-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-13-at-15.07.17-740x409.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Full&nbsp;attack&nbsp;chain&nbsp;of&nbsp;Kratos&nbsp;analyzed&nbsp;inside&nbsp;ANY.RUN&nbsp;sandbox&nbsp;in&nbsp;just&nbsp;1&nbsp;min<\/em>&nbsp;<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The victim is given only three attempts to enter a password. After that, they are either redirected to a predefined URL, office.com in V1, or shown an \u201cincorrect password\u201d message.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"555\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/3-1024x555.png\" alt=\"\" class=\"wp-image-22048\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/3-1024x555.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/3-300x163.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/3-768x416.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/3-1536x832.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/3-370x201.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/3-270x146.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/3-740x401.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/3.png 1967w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN\u2019s in-browser data investigation showing&nbsp;browser-level execution<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">ANY.RUN\u2019s&nbsp;<strong>in-browser data investigation<\/strong>&nbsp;reveals this logic directly in the page code. Analysts can see the&nbsp;submitData() function sending the di and pr values to&nbsp;next.php, the redirect to office.com, and the handling of the #pass-err element. This confirms that the behavior is intentional and designed to filter out invalid or random submissions.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Expose hidden phishing behavior and confirm threats faster. <\/span><br>\nReduce investigation time and account takeover risk.\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kratos-phaas-account-takeover&amp;utm_term=140726&amp;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nReduce Phishing Exposure <\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Evolution:&nbsp;Three&nbsp;Generations&nbsp;of&nbsp;Kratos&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Kratos is not a static phishing kit. Based on public industry reports and ANY.RUN research, we identified three generations of its phishing pages. Each can be recognized by a distinct set of files and, more importantly, by its own exfiltration code:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-343\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"5\"\n           data-rows=\"4\"\n           data-wpID=\"343\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:20%;                    padding:10px;\n                    \"\n                    >\n                                        Generation\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:20%;                    padding:10px;\n                    \"\n                    >\n                                        How to Identify It\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:20%;                    padding:10px;\n                    \"\n                    >\n                                        Exfiltration Code\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"D1\"\n                    data-col-index=\"3\"\n                    data-row-index=\"0\"\n                    style=\" width:20%;                    padding:10px;\n                    \"\n                    >\n                                        Sessions\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"E1\"\n                    data-col-index=\"4\"\n                    data-row-index=\"0\"\n                    style=\" width:20%;                    padding:10px;\n                    \"\n                    >\n                                        Example\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        V0: PTT\/SOft\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        URLs containing *\/PTT\/SOft\/; associated domain: dwbud.vilaribit.com; \u201cSecure File Access\u201d page asking the victim to verify their email over a blurred invoice\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        sendDataToPHP()\u2192 POST to\u00a0mini.php\u00a0inside \/PTT\/SOft\/\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D2\"\n                    data-col-index=\"3\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        9\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E2\"\n                    data-col-index=\"4\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TI\u00a0Lookup\u00a0query:\u00a0SHA256:\"c447e75f1029ed7a5882add16bcd13ad44be3bd47c93c830ff39185e23d25ebb\" AND SHA256:\"cd231b895bbcd7154b81df1e065bf02f1ec667b920c8b6d23308cd509833b5ea\"\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        V1: Dominant generation\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        barr.svg\u00a0+\u00a0lg.svg\u00a0+ ani.gif + res.css + styles.css; direct imitation of the Microsoft Sign In page\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        submitData() \u2192\u00a0next.php, with variants including\u00a0nex.php, n3xt.php, and officers*eur.php\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D3\"\n                    data-col-index=\"3\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1,397\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E3\"\n                    data-col-index=\"4\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TI\u00a0Lookup\u00a0query:\u00a0SHA256:\"c447e75f1029ed7a5882add16bcd13ad44be3bd47c93c830ff39185e23d25ebb\" AND SHA256:\"cd231b895bbcd7154b81df1e065bf02f1ec667b920c8b6d23308cd509833b5ea\"\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        V2\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        dsa.svg\u00a0+ sid.gif + imag.jpg + main.js; uses jQuery 4.0 beta; code is obfuscated\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Deobfuscatedmain.js \u2192 fetch(\"save.php\")\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D4\"\n                    data-col-index=\"3\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        231\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E4\"\n                    data-col-index=\"4\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TI\u00a0Lookup\u00a0query:\u00a0SHA256:\"a3c298ccf2456989ceb080e661b01c3b00445902ae7bb3e58dad4d846334ff9c\" AND SHA256:\"9d1a1a5e3b5e5de8a6c76ded7a01fa01709d426232b0048c9ee6ba0c5c1b8b42\" AND SHA256:\"cd231b895bbcd7154b81df1e065bf02f1ec667b920c8b6d23308cd509833b5ea\"\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-343'>\ntable#wpdtSimpleTable-343{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-343 td, table.wpdtSimpleTable343 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p class=\"wp-block-paragraph\">Check&nbsp;relevant&nbsp;ANY.RUN&nbsp;sandbox&nbsp;sessions:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/06aeed8c-62f6-4d45-abd2-9d6da7c299c9?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kratos-phaas-account-takeover&amp;utm_term=140726&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>V0: PTT\/SOft<\/strong><\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/06aeed8c-62f6-4d45-abd2-9d6da7c299c9?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kratos-phaas-account-takeover&amp;utm_term=140726&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>V1:&nbsp;Dominant&nbsp;generation<\/strong><\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/e4afcbf8-2a7d-4154-ae97-dcd16928a21e?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kratos-phaas-account-takeover&amp;utm_term=140726&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>V2&nbsp;generation<\/strong><\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The evolution of Kratos\u2019s disguise is easy to see. V0 presents itself as a <strong>\u201cSecure File Access\u201d<\/strong> page, shown in the screenshot below. It asks the victim to verify their email address to open a document, with a blurred Excel invoice displayed in the background.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"578\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/4-1024x578.jpeg\" alt=\"\" class=\"wp-image-22050\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/4-1024x578.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/4-300x169.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/4-768x434.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/4-370x209.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/4-270x152.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/4-740x418.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/4.jpeg 1360w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>\u201cSecure File Access\u201d&nbsp;page&nbsp;displayed&nbsp;inside&nbsp;ANY.RUN&nbsp;sandbox<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Starting with V1, shown in the screenshot below, the kit moves to direct brand impersonation, closely replicating the Microsoft Sign In window. According to comments in the code, the goal of these changes was to make the page resemble Microsoft\u2019s login window more closely and restructure the code to evade existing vendor signatures.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"578\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/5-1-1024x578.jpeg\" alt=\"\" class=\"wp-image-22053\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/5-1-1024x578.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/5-1-300x169.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/5-1-768x434.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/5-1-370x209.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/5-1-270x152.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/5-1-740x418.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/5-1.jpeg 1360w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Fake Microsoft&nbsp;Sign&nbsp;In&nbsp;window<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Most importantly, the&nbsp;three generations appear to belong to the same Kratos service rather than&nbsp;three separate actors. The link between V1 and V2 is particularly strong at the operator level:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The same domains, including&nbsp;razen[.]online,&nbsp;theoceanac[.]online,&nbsp;jumpast[.]es, and enerdizerandtron.de, serve both V1 and V2 pages.&nbsp;<\/li>\n\n\n\n<li>The&nbsp;lg.svg&nbsp;file used in V1 is byte-for-byte identical to&nbsp;dsa.svg&nbsp;in V2.&nbsp;<\/li>\n\n\n\n<li>A shared hash for the styles.css file, loaded by the fake&nbsp;<strong>Microsoft Sign In<\/strong>&nbsp;page, connects 636 tasks across both generations.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Check this&nbsp;TI&nbsp;Lookup&nbsp;query based on the&nbsp;lg.svg&nbsp;and styles.css hashes:&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kratos-phaas-account-takeover&amp;utm_term=140726&amp;utm_content=linktolookup#{%22query%22:%22SHA256:%5C%22c447e75f1029ed7a5882add16bcd13ad44be3bd47c93c830ff39185e23d25ebb%5C%22%20AND%20SHA256:%5C%22cd231b895bbcd7154b81df1e065bf02f1ec667b920c8b6d23308cd509833b5ea%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">SHA256:&#8221;c447e75f1029ed7a5882add16bcd13ad44be3bd47c93c830ff39185e23d25ebb&#8221; AND SHA256:&#8221;cd231b895bbcd7154b81df1e065bf02f1ec667b920c8b6d23308cd509833b5ea&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here is&nbsp;also&nbsp;an&nbsp;example of the V2 login page:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"578\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/6-1-1024x578.jpeg\" alt=\"\" class=\"wp-image-22054\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/6-1-1024x578.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/6-1-300x169.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/6-1-768x434.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/6-1-370x209.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/6-1-270x152.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/6-1-740x418.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/6-1.jpeg 1360w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>V2 login page analyzed inside ANY.RUN\u2019s&nbsp;sandbox<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\">The Investigation: How One Indicator Exposed the Entire Campaign<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We started with the data already available to us: 156 analysis sessions that had been tagged as Kratos. After examining their network traffic in detail, we noticed that the browser loaded nearly the same setof page assets from the \/assets\/ directory on almost every landing page. Two files had particularly unusual names: <strong>barr.svg and res.css<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The next step was simple but important: we checked how exclusively these files appeared together.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>barr.svg&nbsp;and&nbsp;lg.svg&nbsp;in&nbsp;the&nbsp;same&nbsp;session:&nbsp;<strong>1,397&nbsp;times<\/strong>&nbsp;<\/li>\n\n\n\n<li>lg.svg&nbsp;without&nbsp;barr.svg:&nbsp;<strong>2&nbsp;times<\/strong>&nbsp;<\/li>\n\n\n\n<li>barr.svg&nbsp;without&nbsp;lg.svg:&nbsp;<strong>12&nbsp;times<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Even before our hunt, the ANY.RUN engine had already been detecting these pages with generic signatures. The numbers below refer to signature detections, not individual sessions:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>PHISHING [ANY.RUN]&nbsp;Generic&nbsp;Phishkit&nbsp;related&nbsp;URL&nbsp;chain&nbsp;observed&nbsp;(\/assets\/img\/*) \u2014 866&nbsp;<\/li>\n\n\n\n<li>PHISHING [ANY.RUN]&nbsp;Generic&nbsp;Phishkit&nbsp;exfil&nbsp;activity&nbsp;observed&nbsp;(\/next.php) \u2014 232&nbsp;<\/li>\n\n\n\n<li>PHISHING [ANY.RUN] Domain&nbsp;chain&nbsp;identified&nbsp;as&nbsp;Phishing&nbsp;(challengepoint) \u2014 495&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">In other words, the activity had been detected all along, but only through generic <strong>Generic Phishkit<\/strong> signatures. The analysis sessions remained hidden within that broader category because they had not yetbeen attributed to a specific family. Our fingerprint closed this attribution gap by linking the generic phishing-kit activity to Kratos.<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-344\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"8\"\n           data-wpID=\"344\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Month (2026)\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Kratos V1 Sessions\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        January\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        93\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        February\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        90\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        March\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        217\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        April\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        221\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        May\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        373\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        June\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        393\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        July (partial)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        10\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-344'>\ntable#wpdtSimpleTable-344{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-344 td, table.wpdtSimpleTable344 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p class=\"wp-block-paragraph\">The current detection engine also includes Kratos-specific signatures, such as&nbsp;<strong>Kratos related URL chain&nbsp;observed<\/strong>,&nbsp;<strong>Kratos exfil activity<\/strong>, and&nbsp;<strong>Xbit&nbsp;Setter for&nbsp;barr.svg<\/strong>.&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This enables security teams to run retrospective&nbsp;hunts,&nbsp;group related&nbsp;activity and&nbsp;create more&nbsp;accurate&nbsp;detection rules without relying on short-lived domains alone.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Behind&nbsp;the&nbsp;Scenes:&nbsp;How&nbsp;the&nbsp;Kratos&nbsp;\u201cBusiness\u201d&nbsp;Operates&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The&nbsp;sandbox&nbsp;reveals&nbsp;the&nbsp;victim&nbsp;side&nbsp;of&nbsp;the&nbsp;attack.&nbsp;But&nbsp;Kratos&nbsp;also&nbsp;has&nbsp;an&nbsp;operator-facing&nbsp;side,&nbsp;which&nbsp;we&nbsp;were&nbsp;able&nbsp;to&nbsp;investigate&nbsp;through&nbsp;OSINT.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How&nbsp;We&nbsp;Located&nbsp;the&nbsp;Panel&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Victim-side sandbox analysis does not expose the panel because it is designed for operators. However, every web panel has a favicon.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">By searching public internet indexes for services whose page titles contained the word <strong>Kratos<\/strong>, we identified a distinctive icon in the favicon results: a stylized Kratos logo. <br><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"252\" height=\"250\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-\u2014-2026-07-14-\u0432-10.54.18.png\" alt=\"\" class=\"wp-image-22066\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-\u2014-2026-07-14-\u0432-10.54.18.png 252w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-\u2014-2026-07-14-\u0432-10.54.18-150x150.png 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-\u2014-2026-07-14-\u0432-10.54.18-70x70.png 70w\" sizes=\"auto, (max-width: 252px) 100vw, 252px\" \/><figcaption class=\"wp-element-caption\"><em>Kratos logo<\/em>&nbsp;<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The icon led to active Kratos login panels displaying <strong>\u201c\u00a9 2026 Kratos\u201d<\/strong> and the message <strong>\u201cEnter the realm of power.\u201d<\/strong>This was an operator-side finding, not a conclusion drawn from victim-side sandbox data.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"614\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-10.30.22-1024x614.png\" alt=\"\" class=\"wp-image-22059\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-10.30.22-1024x614.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-10.30.22-300x180.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-10.30.22-768x461.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-10.30.22-1536x922.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-10.30.22-370x222.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-10.30.22-270x162.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-10.30.22-740x444.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-10.30.22.png 1780w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Active&nbsp;Kratos&nbsp;login&nbsp;panel<\/em>&nbsp;<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The service includes the following components, based on operator-side OSINT, public industry reports, and ANY.RUN research. The panel has been active since at least September 10, 2025:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Main domain:<\/strong>&nbsp;A central dashboard showing users and sales statistics.&nbsp;<\/li>\n\n\n\n<li><strong>deploy.*&nbsp;subdomain:<\/strong>&nbsp;Used to deploy phishing domains to a VPS in just a few clicks. The panel\u2019s&nbsp;component&nbsp;code shows that operators can:&nbsp;<\/li>\n\n\n\n<li>Choose between a&nbsp;<strong>\u201cPHP-based Office 365 page\u201d<\/strong>, which uses a traditional PHP backend, and a&nbsp;<strong>\u201cNode.js redirect server with anti-bot\u201d<\/strong>, which functions as a reverse proxy with anti-bot protection and an admin dashboard.&nbsp;<\/li>\n\n\n\n<li>Upload page files.&nbsp;<\/li>\n\n\n\n<li>Install SSL certificates.&nbsp;<\/li>\n\n\n\n<li>Modify DNS records.&nbsp;<\/li>\n\n\n\n<li>Execute commands on the server.&nbsp;<\/li>\n\n\n\n<li>Manage VPS status.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"214\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/10-1024x214.png\" alt=\"\" class=\"wp-image-22060\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/10-1024x214.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/10-300x63.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/10-768x160.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/10-370x77.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/10-270x56.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/10-740x154.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/10.png 1481w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Kratos admin panel component code with the option to select the type of phishing page<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<ul class=\"wp-block-list\">\n<li><strong>API&nbsp;component:<\/strong>&nbsp;The panel code directly exposes the following endpoints:&nbsp;\/vps\/* for CRUD operations, health checks, and cleanup, \/domains\/* for DNS verification, SSL installation, and SSL virtual host configuration&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"916\" height=\"895\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/11.png\" alt=\"\" class=\"wp-image-22061\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/11.png 916w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/11-300x293.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/11-768x750.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/11-370x362.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/11-270x264.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/11-740x723.png 740w\" sizes=\"auto, (max-width: 916px) 100vw, 916px\" \/><figcaption class=\"wp-element-caption\"><em>Kratos Admin Panel API Client Component Code<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data delivery settings:<\/strong> Operators can choose between a Telegram bot and email. Stolen data is packaged as JSON and sent to the attacker\u2019s Telegram channel. This configuration is handled server-sideand is not visible in victim-side traffic.<\/li>\n\n\n\n<li><strong>Anti-bot protection:<\/strong> Operators can choose between reCAPTCHA, Cloudflare Turnstile, and hCaptcha.<\/li>\n\n\n\n<li><strong>Geographic restrictions:<\/strong> Country-based whitelisting is handled through geoplugin.net.<\/li>\n\n\n\n<li><strong>Panel protection:<\/strong> The admin panel itself is protected with a master password and Telegram-based two-factor authentication.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Infrastructure&nbsp;and&nbsp;Affiliate&nbsp;Fingerprints&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Kratos&nbsp;deployments&nbsp;fall&nbsp;into&nbsp;several&nbsp;clear&nbsp;clusters:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Newly registered, randomly named domains on low-cost TLDs<\/strong> such as .horse, .cfd, .sbs, .today, .fit, and .online: 235 deployments linked to disposable attacker infrastructure.<\/li>\n\n\n\n<li><strong>Compromised legitimate websites<\/strong>, mainly German .de and Spanish .es domains, often running WordPress: 140 deployments. In these cases, the kit is usually placed in a subdirectory such as \/factura\/.<\/li>\n\n\n\n<li><strong>*bgados* subdomains<\/strong>, derived from the Spanish word abogados (\u201clawyers\u201d), suggesting a legal-themed lure.<\/li>\n\n\n\n<li><strong>*files*&nbsp;and&nbsp;*docs*&nbsp;subdomains&nbsp;with&nbsp;64-character&nbsp;paths<\/strong>,&nbsp;associated&nbsp;with&nbsp;document-themed&nbsp;lures.&nbsp;<\/li>\n\n\n\n<li><strong>Wildcard domains<\/strong> such as klenpare.com, uvarnix.cfd, and xavon.sbs, which rotate through randomly generated subdomains.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The front end is almost always hidden behind Cloudflare, while the actual origin infrastructure is hosted on standard cloud providers such as Azure, Google Cloud, and Host4Geeks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The infrastructure patterns suggest that several affiliates may be operating in parallel. Persistent tokens found in URL paths provide indirect evidence of these different affiliate fingerprints:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-345\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"7\"\n           data-wpID=\"345\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Token\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Sessions\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Meaning\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        factura\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        141\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Spanish\/Portuguese for \u201cinvoice\u201d\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        dgt\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        38\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Reference to Spain\u2019s traffic authority\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Clbsrus\u00a0\/\u00a0Svgclur\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        33 \/ 24\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Pattern associated with V2\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Suclers\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        25\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Distinctive token linked to the kit\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        paidoffice\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        23\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Microsoft 365-themed token\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        yhwh\u00a0+\u00a0elroi\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        20\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Biblical names that may\u00a0indicate\u00a0a specific campaign or operator style, but do not confirm actor attribution\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-345'>\ntable#wpdtSimpleTable-345{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-345 td, table.wpdtSimpleTable345 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p class=\"wp-block-paragraph\">It is important to note that this is proxy-based segmentation, not confirmed actor attribution. The true actor-level identifier, the Telegram bot or email address that receives the stolen data, is configured server-side through the same panel.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Kratos also shares hosting infrastructure with other AiTM phishing kits, including Tycoon, Flowerstorm, Sneaky2FA, and EvilProxy. The same VPS servers, and sometimes even the same SharePoint pages, mayhost vax\/qen DGA families, Spanish-language kits, and other campaigns behind the same Cloudflare infrastructure.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, their code is different, and neighboring domains do not serve barr.svg. At the analysis level, there is no overlap between Kratos tags and these other families.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A shared IP address confirms co-hosting, but it does not prove that the campaigns are operated by the same actor. Kratos should therefore be tagged only when its asset pattern is present. Otherwise, unrelated campaigns may be incorrectly attributed to the family.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How&nbsp;to&nbsp;Detect&nbsp;Kratos: Ready-to-Use&nbsp;Detection&nbsp;Methods&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Kratos&nbsp;can&nbsp;be&nbsp;identified&nbsp;through&nbsp;a&nbsp;combination&nbsp;of&nbsp;asset&nbsp;fingerprints,&nbsp;content&nbsp;hashes,&nbsp;exfiltration&nbsp;endpoints,&nbsp;engine&nbsp;signatures,&nbsp;and&nbsp;browser-level&nbsp;behavior.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1. Asset&nbsp;Fingerprint<\/strong>&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This&nbsp;is&nbsp;the&nbsp;primary&nbsp;detection&nbsp;method,&nbsp;with&nbsp;90%&nbsp;recall&nbsp;and&nbsp;a&nbsp;false-positive&nbsp;rate&nbsp;close&nbsp;to&nbsp;zero&nbsp;in&nbsp;negative-control&nbsp;testing.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>V1:<\/strong>&nbsp;HTTP requests to both *\/assets\/img\/barr.svg&nbsp;and *\/assets\/img\/lg.svg&nbsp;within the same&nbsp;sandbox&nbsp;analysis session&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>V2:<\/strong>&nbsp;HTTP&nbsp;requests&nbsp;to&nbsp;*dsa.svg, *sid.gif,&nbsp;and&nbsp;*imag.jpg&nbsp;within&nbsp;the&nbsp;same&nbsp;session&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2. Asset Content&nbsp;Hashes<\/strong>&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">These&nbsp;hashes&nbsp;remain&nbsp;useful&nbsp;even&nbsp;when&nbsp;the&nbsp;files&nbsp;are&nbsp;renamed:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>lg.svg&nbsp;&nbsp;&nbsp;&nbsp; = cd231b895bbcd7154b81df1e065bf02f1ec667b920c8b6d23308cd509833b5ea&nbsp;<\/li>\n\n\n\n<li>barr.svg&nbsp;&nbsp; = 949895df17148c5ea29f190d2619a14b3ec648425b9cc3c5a1423553c16f3898&nbsp;<\/li>\n\n\n\n<li>ani.gif&nbsp;&nbsp;&nbsp; = 9d1a1a5e3b5e5de8a6c76ded7a01fa01709d426232b0048c9ee6ba0c5c1b8b42&nbsp;<\/li>\n\n\n\n<li>styles.css = c447e75f1029ed7a5882add16bcd13ad44be3bd47c93c830ff39185e23d25ebb&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The styles.css&nbsp;hash&nbsp;connects&nbsp;636&nbsp;tasks&nbsp;across&nbsp;V1&nbsp;and&nbsp;V2.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3.&nbsp;Exfiltration&nbsp;Endpoints<\/strong>&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>V0:<\/strong>&nbsp;*\/SOft\/mini.php&nbsp;<\/li>\n\n\n\n<li><strong>V1:<\/strong>&nbsp;*\/next.php, *\/nex.php, *\/n3xt.php, *\/officers*eur.php&nbsp;<\/li>\n\n\n\n<li><strong>V2:<\/strong>&nbsp;*\/save.php&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>4.&nbsp;Existing&nbsp;ANY.RUN Engine&nbsp;Signatures<\/strong>&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">These&nbsp;signatures&nbsp;can&nbsp;already&nbsp;be&nbsp;used&nbsp;to&nbsp;trigger&nbsp;retrospective&nbsp;detection:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>PHISHING [ANY.RUN]&nbsp;Kratos&nbsp;related&nbsp;URL&nbsp;chain&nbsp;observed&nbsp; (M1 \/ M2 \/ M3 \/&nbsp;Docusign&nbsp;Variant)&nbsp;<\/li>\n\n\n\n<li>PHISHING [ANY.RUN]&nbsp;Kratos&nbsp;exfil&nbsp;activity&nbsp;observed&nbsp;(M1)&nbsp;\u2014 \/next.php&nbsp;<\/li>\n\n\n\n<li>PHISHING [ANY.RUN]&nbsp;Kratos&nbsp;exfil&nbsp;HTTP&nbsp;activity&nbsp;observed&nbsp;\u2014 \/SOft\/mini.php&nbsp;<\/li>\n\n\n\n<li>NOALERT [ANY.RUN]&nbsp;Xbit&nbsp;Setter&nbsp;for&nbsp;barr.svg&nbsp;\/&nbsp;lg.svg&nbsp;\/ ani.gif \/ bg.png&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>5. In-Browser Data Investigation<\/strong>&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">ANY.RUN\u2019s in-browser data investigation helps analysts confirm how the phishing page behaves after it loads. Inside the&nbsp;sandbox, they can inspect the page code, loaded assets, DOM changes, redirects, and network requests without relying only&nbsp;on the&nbsp;initial&nbsp;page appearance.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"551\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-06.26.13-1024x551.png\" alt=\"\" class=\"wp-image-22064\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-06.26.13-1024x551.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-06.26.13-300x161.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-06.26.13-768x413.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-06.26.13-1536x826.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-06.26.13-2048x1102.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-06.26.13-370x199.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-06.26.13-270x145.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Screenshot-2026-07-14-at-06.26.13-740x398.png 740w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>In-browser data investigation to close phishing blind spots<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">&nbsp;For Kratos, this makes it possible to see:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The&nbsp;submitData()&nbsp;function and the&nbsp;di&nbsp;and&nbsp;pr&nbsp;parameters&nbsp;<\/li>\n\n\n\n<li>POST requests to endpoints such as&nbsp;next.php&nbsp;or&nbsp;save.php&nbsp;<\/li>\n\n\n\n<li>Password-attempt handling&nbsp;through the&nbsp;#pass-err&nbsp;element&nbsp;<\/li>\n\n\n\n<li>Redirects to predefined destinations such as&nbsp;office.com&nbsp;<\/li>\n\n\n\n<li>Obfuscated scripts and the logic used to send stolen credentials&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This browser-level view helps confirm that the page is part of the Kratos family and gives analysts evidence they can use for triage, hunting, and response.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Cut phishing triage time with browser-level evidence.  <\/span><br>\nConfirm threats faster and reduce business risk.\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kratos-phaas-account-takeover&amp;utm_term=140726&amp;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nSpeed Up Phishing Response  <\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\"><strong>6. Behavioral Indicators<\/strong>&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Additional&nbsp;behavioral signs include:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloudflare Turnstile, identified as&nbsp;challengepoint&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DOMPurify&nbsp;3.2.6&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The&nbsp;<strong>\u201cFake Microsoft Authentication Page\u201d<\/strong>&nbsp;incident&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>WebSocket activity in some analysis sessions&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">WebSocket activity should be treated as a risk indicator, not as proof of an&nbsp;AiTM&nbsp;attack.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">SIEM&nbsp;Scoring&nbsp;Rule&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Instead of using a simple binary match, apply a cumulative scoring model to assign confidence levels:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-346\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"8\"\n           data-wpID=\"346\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Indicator\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Score\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        barr.svg\u00a0+\u00a0lg.svg\u00a0for V1, or\u00a0dsa.svg\u00a0+ sid.gif + imag.jpg for V2\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        +80\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Matching asset content hash\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        +80\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        POST request to\u00a0next.php,\u00a0save.php, or officers*.php\u00a0for V1\/V2, or *\/PTT\/SOft\/mini.php\u00a0for V0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        +35\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u201cFake Microsoft auth,\u201d page title Authentication, or\u00a0Einvoice\u00a0Beta footer\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        +30\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Turnstile displayed before the login form\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        +15\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Lure delivered\u00a0through SharePoint, an email gateway, or Microsoft Forms\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        +10\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Tags associated with another kit, such as\u00a0stealc,\u00a0vidar,\u00a0clickfix, tycoon, or sneaky2fa\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u221280\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-346'>\ntable#wpdtSimpleTable-346{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-346 td, table.wpdtSimpleTable346 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">Recommendations&nbsp;for&nbsp;Defenders&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Use&nbsp;a&nbsp;tiered&nbsp;response&nbsp;model&nbsp;instead&nbsp;of&nbsp;blocking&nbsp;everything&nbsp;by&nbsp;default.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Infrastructure Response<\/strong>&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Disposable attacker-controlled domains<\/strong>, including DGA domains, should be blocked.<\/li>\n\n\n\n<li><strong>Shared parent domains<\/strong> such as crm-technik.de, klenpare.com, and uvarnix.cfd should be blocked only after review, as they may also host legitimate subdomains.<\/li>\n\n\n\n<li><strong>Compromised legitimate websites<\/strong> should be reported for takedown rather than blocked outright.<\/li>\n\n\n\n<li><strong>Cloudflare edge infrastructure and broad ASNs<\/strong> should be monitored, not blocked.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Response&nbsp;to&nbsp;Account&nbsp;Compromise<\/strong>&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The&nbsp;response&nbsp;should&nbsp;also&nbsp;depend&nbsp;on&nbsp;the&nbsp;type&nbsp;of&nbsp;credential&nbsp;theft&nbsp;observed.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For a basic credential harvester, reset the user\u2019s password and verify their MFA settings.<\/li>\n\n\n\n<li>For confirmed or likely AiTM activity, such as reverse-proxy behavior, spoofing of login.microsoftonline.com, cookie or session relaying, or a suspicious authentication-relay endpoint, revoke activesessions and refresh tokens.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">A&nbsp;password&nbsp;reset&nbsp;alone&nbsp;may&nbsp;not&nbsp;be&nbsp;enough&nbsp;if&nbsp;the&nbsp;attacker&nbsp;has&nbsp;already&nbsp;obtained&nbsp;a&nbsp;valid&nbsp;session.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Email&nbsp;and&nbsp;Link Analysis<\/strong>&nbsp;<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Analyze suspicious links using both static verdicts and observed behavior. Train employees not to open suspicious links and to submit them to the internal security team for review.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When needed, use the ANY.RUN interactive sandbox to investigate the link safely. Never enter real authentication credentials during analysis.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Recommendations&nbsp;for&nbsp;CISOs&nbsp;and&nbsp;SOC&nbsp;Leaders&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Kratos shows how credential phishing can remain visible as isolated detections without being understood as a wider operation. Security leaders should make sure their teams can connect technical evidenceto business risk and take consistent action before one compromised account becomes a broader incident.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Measure time to confident attribution, not only time to detection.<\/strong> Detecting phishing is important, but linking related activity helps teams understand campaign scale, affected users, and business exposure.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Add browser-level investigation to phishing workflows.<\/strong> Give analysts visibility into page code, redirects, DOM changes, and credential-exfiltration behavior that may not appear in static analysis.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Define separate response playbooks for credential harvesting and AiTM activity.<\/strong> Password resets may be enough for a basic harvester, while suspected session theft requires session and refresh-token revocation.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Turn Kratos indicators into repeatable controls.<\/strong> Add asset fingerprints, hashes, exfiltration endpoints, and confidence scoring to SIEM, SOAR, and retrospective hunting workflows.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Avoid broad infrastructure blocking.<\/strong> Shared cloud, Cloudflare, and compromised legitimate domains require targeted review to reduce disruption and unnecessary business impact.<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Turn phishing evidence into\u00a0faster, more consistent response.\u00a0\u00a0  <\/span><br>\nReduce account takeover without disrupting legitimate activity.\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kratos-phaas-account-takeover&amp;utm_term=140726&amp;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nStrengthen Phishing Response  <\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Kratos shows how a single stolen Microsoft 365 account can create wider business risk, from fraud and data exposure to costly incident response. Its repeatable assets and infrastructure patterns givesecurity teams a practical way to detect the kit earlier, connect related activity, and respond with greater confidence.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">By combining sandbox analysis, browser-level evidence, and family-level attribution, organizations can reduce investigation time, avoid unnecessary blocking, and contain account compromise before itdevelops into a larger incident.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About&nbsp;ANY.RUN&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">ANY.RUN, a leading provider of interactive malware analysis and&nbsp;threat&nbsp;intelligence solutions, helps organizations investigate&nbsp;threats&nbsp;faster&nbsp;and make&nbsp;response decisions based on clear&nbsp;behavioral evidence.&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Its solutions include the&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kratos-phaas-account-takeover&amp;utm_term=140726&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive&nbsp;Sandbox<\/a>&nbsp;for enterprise-scale malware and phishing analysis, along with&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kratos-phaas-account-takeover&amp;utm_term=140726&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence<\/a>&nbsp;products built on investigation data from more than 15,000 organizations. This intelligence helps security teams enrich alerts, uncover active&nbsp;threats earlier, and add relevant context to detection, investigation, and&nbsp;response workflows.&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ANY.RUN is&nbsp;<a href=\"https:\/\/any.run\/compliance\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kratos-phaas-account-takeover&amp;utm_term=140726&amp;utm_content=linktocomliance\" target=\"_blank\" rel=\"noreferrer noopener\">SOC 2 Type II attested<\/a>,&nbsp;demonstrating&nbsp;its commitment to strong security controls and customer data protection. For SOCs, MSSPs, and enterprise security teams, the platform helps reduce investigation uncertainty, accelerate triage, and turn&nbsp;threat&nbsp;analysis into actionable findings.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IOCs&nbsp;and&nbsp;Artifacts&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Fingerprint:<\/strong>&nbsp;*\/assets\/img\/barr.svg&nbsp;+ *\/assets\/img\/lg.svg&nbsp;for&nbsp;V1; *dsa.svg&nbsp;+ *sid.gif + *imag.jpg&nbsp;for&nbsp;V2&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Exfiltration:<\/strong>&nbsp;*\/next.php, *\/save.php, *\/officers*eur.php,&nbsp;and&nbsp;POST&nbsp;requests&nbsp;to&nbsp;*\/PTT\/SOft\/mini.php&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Early&nbsp;domain:<\/strong>&nbsp;dwbud.vilaribit.com&nbsp;for&nbsp;V0 (\/PTT\/SOft)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Operator&nbsp;IP:<\/strong>&nbsp;41.128.0.142 (Egypt)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>abal[.]my&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>starwellmedia[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>aabiz[.]de&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>aspireglobal[.]ltd&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>buenne[.]de&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>dufllot[.]sbs&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>enerdizerandtron[.]de&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>espaciocf[.]de&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ihrsupportcenter[.]de&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ilersls[.]org&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>aaalen[.]de&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>rundwasser[.]de&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>smartcontrolengineer[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>sonnenbrillenspot[.]de&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>trisrnareprjdocz[.]com&nbsp;<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Kratos is a mature Phishing-as-a-Service operation targeting Microsoft 365 users across the US, Europe, and other regions. By combining trusted platforms, anti-bot checks, and convincing login pages, ithelps attackers steal credentials while delaying detection and response. For security leaders, that increases the risk of account takeover, fraud, data exposure, and higher incident response costs. ANY.RUN [&hellip;]<\/p>\n","protected":false},"author":12,"featured_media":22074,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[8],"tags":[57,10,34],"class_list":["post-22043","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Kratos PhaaS Targets US and EU Companies<\/title>\n<meta name=\"description\" content=\"Discover how Kratos PhaaS threatens Microsoft 365 accounts and how ANY.RUN helps security teams reduce fraud risk, speed detection, and contain compromise.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/kratos-phaas-account-takeover\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ShiFu\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"18 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/kratos-phaas-account-takeover\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/kratos-phaas-account-takeover\\\/\"},\"author\":{\"name\":\"ShiFu\",\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"headline\":\"\u200b\u200bKratos PhaaS Targets US and EU: How to Reduce Microsoft 365 Account Takeover Risk\u200b\",\"datePublished\":\"2026-07-14T10:06:03+00:00\",\"dateModified\":\"2026-07-14T14:37:54+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/kratos-phaas-account-takeover\\\/\"},\"wordCount\":4330,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"image\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/kratos-phaas-account-takeover\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/Kratos-scaled.png\",\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/kratos-phaas-account-takeover\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/kratos-phaas-account-takeover\\\/\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/kratos-phaas-account-takeover\\\/\",\"name\":\"Kratos PhaaS Targets US and EU Companies\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/kratos-phaas-account-takeover\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/kratos-phaas-account-takeover\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/Kratos-scaled.png\",\"datePublished\":\"2026-07-14T10:06:03+00:00\",\"dateModified\":\"2026-07-14T14:37:54+00:00\",\"description\":\"Discover how Kratos PhaaS threatens Microsoft 365 accounts and how ANY.RUN helps security teams reduce fraud risk, speed detection, and contain compromise.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/kratos-phaas-account-takeover\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/kratos-phaas-account-takeover\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/kratos-phaas-account-takeover\\\/#primaryimage\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/Kratos-scaled.png\",\"contentUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/Kratos-scaled.png\",\"width\":2560,\"height\":1243,\"caption\":\"Kratos attack on US and EU\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/kratos-phaas-account-takeover\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/category\\\/malware-analysis\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"\u200b\u200bKratos PhaaS Targets US and EU: How to Reduce Microsoft 365 Account Takeover Risk\u200b\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"url\":\"https:\\\/\\\/any.run\\\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/any.run\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\\\/\\\/any.run\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\\\/\\\/any.run\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/www.any.run\\\/\",\"https:\\\/\\\/x.com\\\/anyrun_app\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/30692044\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/any.run\\\/\",\"name\":\"ShiFu\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/image-17.png\",\"url\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/image-17.png\",\"contentUrl\":\"https:\\\/\\\/any.run\\\/cybersecurity-blog\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/image-17.png\",\"caption\":\"ShiFu\"},\"description\":\"I'm a Threat Intelligence Analyst focused on tracking cybercriminal groups and other malicious activity clusters. I previously worked as an Application Security Engineer and have a background in CTF competitions, with experience in offensive security, malware analysis, and application security.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Kratos PhaaS Targets US and EU Companies","description":"Discover how Kratos PhaaS threatens Microsoft 365 accounts and how ANY.RUN helps security teams reduce fraud risk, speed detection, and contain compromise.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/kratos-phaas-account-takeover\/","twitter_misc":{"Written by":"ShiFu","Est. reading time":"18 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/kratos-phaas-account-takeover\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/kratos-phaas-account-takeover\/"},"author":{"name":"ShiFu","@id":"https:\/\/any.run\/"},"headline":"\u200b\u200bKratos PhaaS Targets US and EU: How to Reduce Microsoft 365 Account Takeover Risk\u200b","datePublished":"2026-07-14T10:06:03+00:00","dateModified":"2026-07-14T14:37:54+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/kratos-phaas-account-takeover\/"},"wordCount":4330,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"image":{"@id":"https:\/\/any.run\/cybersecurity-blog\/kratos-phaas-account-takeover\/#primaryimage"},"thumbnailUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Kratos-scaled.png","keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/kratos-phaas-account-takeover\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/kratos-phaas-account-takeover\/","url":"https:\/\/any.run\/cybersecurity-blog\/kratos-phaas-account-takeover\/","name":"Kratos PhaaS Targets US and EU Companies","isPartOf":{"@id":"https:\/\/any.run\/"},"primaryImageOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/kratos-phaas-account-takeover\/#primaryimage"},"image":{"@id":"https:\/\/any.run\/cybersecurity-blog\/kratos-phaas-account-takeover\/#primaryimage"},"thumbnailUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Kratos-scaled.png","datePublished":"2026-07-14T10:06:03+00:00","dateModified":"2026-07-14T14:37:54+00:00","description":"Discover how Kratos PhaaS threatens Microsoft 365 accounts and how ANY.RUN helps security teams reduce fraud risk, speed detection, and contain compromise.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/kratos-phaas-account-takeover\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/kratos-phaas-account-takeover\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/cybersecurity-blog\/kratos-phaas-account-takeover\/#primaryimage","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Kratos-scaled.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/Kratos-scaled.png","width":2560,"height":1243,"caption":"Kratos attack on US and EU"},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/kratos-phaas-account-takeover\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"\u200b\u200bKratos PhaaS Targets US and EU: How to Reduce Microsoft 365 Account Takeover Risk\u200b"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/x.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ShiFu","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image-17.png","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image-17.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/07\/image-17.png","caption":"ShiFu"},"description":"I'm a Threat Intelligence Analyst focused on tracking cybercriminal groups and other malicious activity clusters. I previously worked as an Application Security Engineer and have a background in CTF competitions, with experience in offensive security, malware analysis, and application security.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/22043","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=22043"}],"version-history":[{"count":10,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/22043\/revisions"}],"predecessor-version":[{"id":22076,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/22043\/revisions\/22076"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/22074"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=22043"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=22043"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=22043"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}