Entra ID Kali365 Default User-Agent Detected

  1[metadata]
  2creation_date = "2026/05/26"
  3integration = ["azure", "o365"]
  4maturity = "production"
  5updated_date = "2026/05/26"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the default user agent string associated with Kali365 (also referred to as Kali365 Live), a
 11phishing-as-a-service (PhaaS) platform that automates OAuth 2.0 device code phishing and adversary-in-the-middle (AiTM)
 12session capture against Microsoft 365 and Microsoft Entra ID. The Kali365 Electron desktop client identifies itself with
 13the user agent `kali365-live/1.0.0` when polling for and replaying captured OAuth tokens, so its appearance in Entra ID
 14sign-in logs, Entra ID audit logs, or the Microsoft 365 unified audit log indicates that an attacker-controlled Kali365
 15client is interacting with the tenant using stolen tokens. Unlike dual-use offensive tooling, Kali365 is a criminal
 16service with no legitimate enterprise use, making this user agent a high-fidelity indicator of active account
 17compromise.
 18"""
 19false_positives = [
 20    """
 21    Security researchers, sandbox detonations, or red team engagements that intentionally run the Kali365 client against
 22    a monitored tenant may generate this user agent. Document approved research activity and exclude the associated
 23    principals, source IPs, or tenants if expected.
 24    """,
 25]
 26from = "now-9m"
 27index = ["logs-azure.auditlogs-*", "logs-azure.signinlogs-*", "logs-o365.audit-*"]
 28language = "kuery"
 29license = "Elastic License v2"
 30name = "Entra ID Kali365 Default User-Agent Detected"
 31note = """## Triage and analysis
 32
 33### Investigating Entra ID Kali365 Default User-Agent Detected
 34
 35Kali365 (Kali365 Live) is a phishing-as-a-service platform distributed via Telegram that provides affiliates with
 36AI-generated lures, automated device code phishing campaigns, target-tracking dashboards, and OAuth token capture. The
 37typical flow is: a lure delivers a Microsoft device code, the victim enters it on the legitimate Microsoft verification
 38page and unknowingly authorizes the attacker, Kali365 captures the resulting OAuth access and refresh tokens, and the
 39attacker uses those tokens for persistent, MFA-free access to Microsoft 365 (Outlook, Teams, OneDrive).
 40
 41The Kali365 desktop client presents the user agent `kali365-live/1.0.0`. This rule fires when that user agent is observed
 42in Entra ID sign-in logs, Entra ID audit logs, or the Microsoft 365 unified audit log. Because the user agent maps to a
 43criminal service with no legitimate use, an alert generally indicates that stolen tokens are already being replayed
 44against the tenant.
 45
 46### Possible investigation steps
 47
 48- Confirm the tool and identify the affected identity.
 49    - `user_agent.original` matches `kali365-live/*`.
 50    - Pivot on `user.name`, `azure.signinlogs.properties.user_principal_name`, or the M365 audit `user.id`.
 51- Review the origin and compare against the user's normal sign-in behavior.
 52    - `source.ip`, `source.geo.*`, and `source.as.organization.name`; flag hosting/VPS ASNs and unexpected geographies.
 53    - Cross-reference published Kali365 infrastructure (`216.203.20.95`, `162.243.166.119`, `199.91.220.111`).
 54- Confirm the device code grant in sign-in logs.
 55    - `azure.signinlogs.properties.authentication_protocol` is `deviceCode`.
 56    - Review `app_id`/`app_display_name` and `resource_display_name` for the brokered mail or collaboration API.
 57- Scope follow-on access in the Microsoft 365 unified audit log for the same user and timeframe.
 58    - Look for mailbox access, inbox rule creation, OneDrive/SharePoint downloads, or Teams activity from the same session or IP.
 59- Check the Entra ID audit log for a device registration by the same identity around the alert window.
 60    - A `Register device` event by the identity paired (via `azure.correlation_id`) with an `Add device` event from the `Device Registration Service` indicates a Primary Refresh Token (PRT) was issued for persistence that survives password resets.
 61
 62### False positive analysis
 63
 64- This user agent has no legitimate enterprise use.
 65    - The only expected matches are authorized security research or red team exercises running the Kali365 client; validate and document before dismissing.
 66
 67### Response and remediation
 68
 69- Remove rogue device registrations created by the user BEFORE revoking sessions.
 70    - Device-bound PRTs survive `revokeSignInSessions`, so a device left in place re-establishes access.
 71    - `GET /v1.0/users/{id}/registeredDevices` and `/ownedDevices`, then `DELETE /v1.0/devices/{deviceObjectId}` for unrecognized devices.
 72- Revoke refresh tokens and sessions, then reset credentials and re-register MFA.
 73    - `POST /v1.0/users/{id}/revokeSignInSessions`.
 74- Temporarily disable the account if you need to halt activity during investigation.
 75    - `PATCH /v1.0/users/{id}` with body `{"accountEnabled": false}`.
 76- Remove other attacker persistence: malicious inbox/forwarding rules, OAuth consents, and app passwords.
 77- Block or monitor Kali365 source IPs and infrastructure, and hunt for the user agent across other users and tenants.
 78- Apply Conditional Access to the device code grant.
 79    - Require a managed/compliant device, or block the device-code flow outside approved app and user populations.
 80"""
 81references = [
 82    "https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/",
 83    "https://www.ic3.gov/PSA/2026/PSA260521",
 84]
 85risk_score = 73
 86rule_id = "4b11dbab-ce37-49c4-bdf1-cdf64b405d96"
 87severity = "high"
 88tags = [
 89    "Domain: Cloud",
 90    "Domain: Identity",
 91    "Data Source: Azure",
 92    "Data Source: Microsoft Entra ID",
 93    "Data Source: Microsoft Entra ID Sign-in Logs",
 94    "Data Source: Microsoft Entra ID Audit Logs",
 95    "Data Source: Microsoft 365",
 96    "Data Source: Microsoft 365 Audit Logs",
 97    "Use Case: Identity and Access Audit",
 98    "Use Case: Threat Detection",
 99    "Threat: Kali365",
100    "Tactic: Initial Access",
101    "Tactic: Credential Access",
102    "Resources: Investigation Guide",
103]
104timestamp_override = "event.ingested"
105type = "query"
106
107query = '''
108data_stream.dataset : ("azure.signinlogs" or "azure.auditlogs" or "o365.audit") and user_agent.original: kali365-live/*
109'''
110
111
112[[rule.threat]]
113framework = "MITRE ATT&CK"
114[[rule.threat.technique]]
115id = "T1078"
116name = "Valid Accounts"
117reference = "https://attack.mitre.org/techniques/T1078/"
118[[rule.threat.technique.subtechnique]]
119id = "T1078.004"
120name = "Cloud Accounts"
121reference = "https://attack.mitre.org/techniques/T1078/004/"
122
123
124[[rule.threat.technique]]
125id = "T1566"
126name = "Phishing"
127reference = "https://attack.mitre.org/techniques/T1566/"
128[[rule.threat.technique.subtechnique]]
129id = "T1566.002"
130name = "Spearphishing Link"
131reference = "https://attack.mitre.org/techniques/T1566/002/"
132
133
134
135[rule.threat.tactic]
136id = "TA0001"
137name = "Initial Access"
138reference = "https://attack.mitre.org/tactics/TA0001/"
139[[rule.threat]]
140framework = "MITRE ATT&CK"
141[[rule.threat.technique]]
142id = "T1528"
143name = "Steal Application Access Token"
144reference = "https://attack.mitre.org/techniques/T1528/"
145
146
147[rule.threat.tactic]
148id = "TA0006"
149name = "Credential Access"
150reference = "https://attack.mitre.org/tactics/TA0006/"
151[[rule.threat]]
152framework = "MITRE ATT&CK"
153[[rule.threat.technique]]
154id = "T1550"
155name = "Use Alternate Authentication Material"
156reference = "https://attack.mitre.org/techniques/T1550/"
157[[rule.threat.technique.subtechnique]]
158id = "T1550.001"
159name = "Application Access Token"
160reference = "https://attack.mitre.org/techniques/T1550/001/"
161
162
163
164[rule.threat.tactic]
165id = "TA0005"
166name = "Defense Evasion"
167reference = "https://attack.mitre.org/tactics/TA0005/"