LoFP / security researchers, sandbox detonations, or red team engagements that intentionally run the kali365 client against a monitored tenant may generate this user agent. document approved research activity and exclude the associated principals, source ips, or tenants if expected.

Techniques

• T1078
• T1528
• T1550
• T1566

Sample rules

Entra ID Kali365 Default User-Agent Detected

• source: elastic
• technicques:
  • T1078
  • T1528
  • T1550
  • T1566

Description

Identifies the default user agent string associated with Kali365 (also referred to as Kali365 Live), a phishing-as-a-service (PhaaS) platform that automates OAuth 2.0 device code phishing and adversary-in-the-middle (AiTM) session capture against Microsoft 365 and Microsoft Entra ID. The Kali365 Electron desktop client identifies itself with the user agent kali365-live/1.0.0 when polling for and replaying captured OAuth tokens, so its appearance in Entra ID sign-in logs, Entra ID audit logs, or the Microsoft 365 unified audit log indicates that an attacker-controlled Kali365 client is interacting with the tenant using stolen tokens. Unlike dual-use offensive tooling, Kali365 is a criminal service with no legitimate enterprise use, making this user agent a high-fidelity indicator of active account compromise.

Detection logic

data_stream.dataset : ("azure.signinlogs" or "azure.auditlogs" or "o365.audit") and user_agent.original: kali365-live/*