Identifies the Kali365 Live (Kali365) phishing-as-a-service client by detecting the default user agent string kali365-live/1.0.0 in Microsoft Entra ID sign-in logs, Entra ID audit logs, and the Microsoft 365 unified audit log. Kali365 is a credential-phishing platform that automates device-code phishing and adversary-in-the-middle session capture to obtain OAuth tokens. When the Kali365 Electron client polls for and replays captured tokens, it presents the user_agent.original kali365-live/*, which maps to a criminal service with no legitimate enterprise use. Therefore, this user agent is a high-fidelity indicator of active account compromise and token replay within the tenant. The rule queries across the specified log indices (logs-azure.auditlogs-*, logs-azure.signinlogs-*, logs-o365.audit-*) using the Kubernetes-like pattern user_agent.original: kali365-live/*. It links to MITRE ATT&CK techniques such as T1078 (Valid Accounts) via stolen tokens, T1566 (Phishing) through device-code phishing flows, T1528 (Steal Application Access Token), and T1550.001 (Application Access Token) as methods of persistence and token abuse, underscoring post-compromise activity in cloud identities. Overall, the rule targets cloud/identity management environments and serves as a high-signal indicator of token compromise, with false positives primarily limited to approved security research or red-team activity observed under documented scope.