Elastic Security Detection Rules

Entra ID Kali365 Default User-Agent Detected

Last updated 2 days ago on 2026-05-26
Created 2 days ago on 2026-05-26

About

Identifies the default user agent string associated with Kali365 (also referred to as Kali365 Live), a phishing-as-a-service (PhaaS) platform that automates OAuth 2.0 device code phishing and adversary-in-the-middle (AiTM) session capture against Microsoft 365 and Microsoft Entra ID. The Kali365 Electron desktop client identifies itself with the user agent `kali365-live/1.0.0` when polling for and replaying captured OAuth tokens, so its appearance in Entra ID sign-in logs, Entra ID audit logs, or the Microsoft 365 unified audit log indicates that an attacker-controlled Kali365 client is interacting with the tenant using stolen tokens. Unlike dual-use offensive tooling, Kali365 is a criminal service with no legitimate enterprise use, making this user agent a high-fidelity indicator of active account compromise.
Tags
Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Sign-in LogsData Source: Microsoft Entra ID Audit LogsData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsUse Case: Identity and Access AuditUse Case: Threat DetectionThreat: Kali365Tactic: Initial AccessTactic: Credential AccessLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Valid Accounts (T1078)(external, opens in a new tab or window)

Phishing (T1566)(external, opens in a new tab or window)

Credential Access (TA0006)(external, opens in a new tab or window)

Steal Application Access Token (T1528)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

Use Alternate Authentication Material (T1550)(external, opens in a new tab or window)

False Positive Examples
Security researchers, sandbox detonations, or red team engagements that intentionally run the Kali365 client against a monitored tenant may generate this user agent. Document approved research activity and exclude the associated principals, source IPs, or tenants if expected.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.auditlogs-*logs-azure.signinlogs-*logs-o365.audit-*
Related Integrations

azure(external, opens in a new tab or window)

o365(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset : ("azure.signinlogs" or "azure.auditlogs" or "o365.audit") and user_agent.original: kali365-live/*

Install detection rules in Elastic Security

Detect Entra ID Kali365 Default User-Agent Detected in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).