Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Mobile devices are becoming the highest‑trusted endpoints that are the least protected. They approve logins. They hold authentication apps. They carry email, collaboration, and business applications. And they travel everywhere your workforce travels: across corporate networks, home Wi‑Fi, airports, hotels, and cafés. That combination (high trust plus constant movement) is why mobile has become such a reliable entry point for credential theft and account takeover.

In our previous post, Token Bingo: Don’t Let Your Code Be the Winner, we documented Kali365, a phishing-as-a-service (PhaaS) kit abusing Microsoft’s OAuth 2.0 device authorization flow to steal Entra ID tokens. In this follow-up report, we track the same operator into new territory as they expand their operation and infrastructure.

Security teams are being asked to operate at machine speed while still making decisions they can trust. Attackers move faster. Exposure changes continuously. Manual workflows struggle to keep up. Following the recent announcement of the Aurora Superintelligence Platform and Aurora Agentic SOC, Arctic Wolf continues to advance its portfolio with new capabilities that help teams see risk clearly, prioritize what matters, and act with confidence.