Dateline: July 16, 2026
Inside Kratos, the Phishing Panel That Greets Its Customers With “Enter the Realm of Power”
For most of this year, a subscription phishing service has been walking Microsoft 365 users through a login page that is not Microsoft’s. The emails cleared corporate mail filters. The links pointed at real SharePoint. Cloudflare’s bot check waved victims through.
Nobody had a name for it. Then ANY.RUN researchers noticed two files that kept showing up together, and 1,484 unlabeled detections suddenly had an owner. They published the findings on July 14, 2026.
What Happened?
The kit is called Kratos, and it sells access the way any software company does. Subscription. Admin panel. Support for affiliates.
The chain starts boring on purpose. An email says someone shared a document. Or an invoice arrived. Or a DocuSign file needs signing. In 114 sandbox sessions, those emails had already passed through a corporate mail filter or secure email gateway before anyone got suspicious.
The link goes somewhere real. SharePoint or OneDrive in 351 cases. Canva, Tilda, systeme.io, and Microsoft Forms fill in as intermediary hops. Nothing in the URL looks wrong because nothing in the URL is wrong.
Then comes Cloudflare Turnstile, asking the victim to prove they are human. That step is not there for the victim. It is there to shake off sandboxes and automated scanners.
What lands next is a fake Microsoft 365 login page with a signature flourish: an animated envelope over a blurred invoice, the words “Loading in progress,” and a browser tab titled Authentication. Credentials POST to a PHP endpoint. The victim gets three tries, then a bounce to office.com.
Kratos has run through three page generations. V0 used a Secure File Access lure and shipped data to mini.php. V1 is the workhorse at 1,397 sessions, imitating Microsoft’s sign in window, exfiltrating to next.php with nex.php and n3xt.php as variants. V2 obfuscates its JavaScript and sends to save.php.
The break came from asset hygiene, or the lack of it. Two files, barr.svg and lg.svg, appeared together in 1,397 sessions. Alone, almost never. Twelve times for one, twice for the other. That pairing gives roughly 90 percent recall with a false positive rate near zero.
What’s the Impact?
ANY.RUN also found the operator side. A Kratos admin panel, live since at least September 10, 2025, greets affiliates with “Enter the realm of power.” From there they deploy phishing domains to a VPS in a few clicks, upload page files, install TLS certificates, change DNS, apply country whitelists, and pick their anti bot flavor: reCAPTCHA, Turnstile, or hCaptcha. Stolen data ships out as JSON to a Telegram bot or an email address.
Volume climbed all year. Ninety three V1 sessions in January. Three hundred ninety three in June.
Researchers tied SharePoint tenant names in the lures to 148 suspected victim organizations across more than twenty countries. Spain leads the sandbox data at 171 sessions, with Spanish URL tokens like factura, abogados, and dgt pointing at affiliates working that region. Around a third of previously documented targeting hit the United States.
The damage from one stolen mailbox rarely stops there. Invoice fraud. Payment redirection. SharePoint and OneDrive sitting wide open. And if the attacker grabbed a live session, resetting the password accomplishes nothing.
How to Avoid This
Hunt for the pair, not the domain. Requests to barr.svg and lg.svg in one session, or dsa.svg plus sid.gif plus imag.jpg for V2. Domains rotate. Asset hashes do not.
- Flag POST requests to next.php, save.php, and officers eur.php.
- Treat a Turnstile check in front of a Microsoft login page as a red flag, not a reassurance.
- If credentials went in, revoke sessions and refresh tokens. Do not stop at a password reset.
- Then check inbox rules, OAuth grants, and SharePoint access. That is where the second act happens.
Go easy on the block button. Kratos runs on compromised WordPress sites, mostly German and Spanish, in 140 deployments. Report those for takedown. Blocking shared parent domains outright breaks real business.