Recently, the FBI issued a public service announcement regarding the emergence of Kali365, a phishing-as-a-service platform (PhaaS) designed to exploit Microsoft 365 accounts. This platform utilizes OAuth device code authentication to pilfer session tokens, allowing cybercriminals to bypass multi-factor authentication (MFA).
According to the FBI, Kali365 first surfaced in April 2026 and is being disseminated through Telegram channels, catering to cybercriminals seeking an effortless method to compromise Microsoft 365 accounts without resorting to password theft or interception of MFA codes.
Device code phishing, the technique employed by Kali365, leverages Microsoft’s OAuth 2.0 Device Authorization grant flow to infiltrate Microsoft Entra and Microsoft 365 accounts. This method was initially designed to enable devices with limited input capabilities, such as smart TVs and IoT devices, to authenticate through a code at Microsoft’s device code login portal.
Earlier this year, BleepingComputer reported that malicious groups, including the ShinyHunters cybercrime syndicate, were targeting Microsoft Entra accounts through device-code and voice phishing. In these attacks, threat actors initiate the device authorization process to generate a code and deceive targets into entering it on Microsoft’s login page via phishing tactics.
Once victims input the code and complete MFA, Microsoft issues an OAuth access token, granting threat actors unrestricted access to the compromised account without the need to overcome any MFA challenges.
Subsequently, threat actors gain access to all applications accessible through the victim’s single-sign-on account, including Microsoft 365 and other cloud SaaS platforms, enabling them to exfiltrate sensitive data.
The FBI highlights that Kali365 provides unsophisticated attackers with advanced phishing capabilities, including AI-generated phishing lures, automated campaign templates, real-time victim-tracking dashboards, and token-capture functionality.
Security researchers at Arctic Wolf observed Kali365 activity in April, noting a widespread campaign targeting organizations globally. These campaigns predominantly focused on Microsoft 365 environments, utilizing phishing emails to direct victims to Microsoft’s device code login portal, unknowingly authorizing attackers to access their accounts.
Arctic Wolf’s research revealed that the resulting attacks granted hackers access to victims’ mailboxes, where they established malicious inbox rules to conceal their activities. In some instances, attackers registered new devices within victims’ Microsoft environments, further expanding their reach into the compromised network.
Further investigation by Arctic Wolf unveiled that Kali365 functions as a business entity, with administrators overseeing product development, resellers promoting the service to other threat actors, and affiliates executing phishing attacks.
The platform offers two distinct attack modes: device code phishing and an adversary-in-the-middle (AitM) mode known as “Cookie Link.” Cookie Link proxies victims through attacker-controlled infrastructure, capturing authenticated browser sessions, session cookies, and tokens post-login, circumventing MFA challenges.
To mitigate risks associated with device code phishing, the FBI recommends companies restrict or block device code authentication flows using Conditional Access policies, audit existing device code usage, and prevent authentication transfer policies allowing sessions to move between devices.
Impacted organizations are advised to report incidents to the Internet Crime Complaint Center and retain phishing emails, suspicious login details, and unauthorized device registrations for further investigation.
Device code phishing has witnessed widespread adoption in 2026, with various threat actors and platforms incorporating it into their phishing campaigns and attacks. Notable mentions include EvilTokens PhaaS and Tycoon2FA, both utilizing this method to compromise Microsoft 365 and Entra accounts.
Automated pentesting tools offer significant value; however, they primarily focus on determining if an attacker can navigate through the network. This guide delves into the crucial areas that require validation beyond network traversal, covering threat blocking, detection rule efficacy, and cloud configuration integrity.
Download Now
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
