FBI Alerts on Kali365 Phishing Service Abusing Microsoft 365 OAuth

The Federal Bureau of Investigation (FBI) is sounding the alarm about Kali365, a sophisticated phishing-as-a-service (PhaaS) platform actively compromising Microsoft 365 accounts. This threat actor's toolkit leverages an increasingly common technique that abuses OAuth device code authentication, enabling attackers to steal session tokens and circumvent multi-factor authentication (MFA) protections. The FBI's Private Sector Alert indicates that Kali365 first surfaced in April 2026, with its distribution occurring through Telegram channels frequented by cybercriminals seeking streamlined methods to hijack accounts without needing to steal passwords or intercept MFA codes.

Kali365 employs a technique known as device code phishing, which capitalizes on Microsoft's legitimate OAuth 2.0 Device Authorization grant flow. This authentication method was designed to facilitate access for devices with limited input capabilities, such as smart TVs, printers, and IoT devices, allowing them to authenticate via a separate device using a short code at Microsoft's dedicated portal, http://microsoft.com/devicelogin. In February of this year, security researchers noted a surge in attacks targeting Microsoft Entra accounts via similar device code and voice phishing tactics, with cybercrime groups like ShinyHunters implicated.

In these nefarious operations, threat actors initiate the device authorization process themselves, generating a unique code. They then employ social engineering tactics and phishing lures to trick unsuspecting targets into entering this code on Microsoft's login page. Once the victim complies and completes any MFA challenges presented, Microsoft issues an OAuth access token. This token grants the threat actor unfettered access to the user's account, including all associated cloud applications such as Microsoft 365 and Salesforce, without requiring any further MFA verification. This allows for the exfiltration of sensitive data.

Kali365 Expands Phishing Capabilities with AI and Automation

The FBI's warning emphasizes that Kali365 significantly lowers the barrier to entry for cyberattacks, equipping even low-skilled adversaries with advanced phishing capabilities. The platform boasts features like AI-generated phishing lures, pre-designed automated campaign templates, real-time dashboards for tracking victims' progress, and robust token-capture functionality. Security researchers from Arctic Wolf brought attention to Kali365 activity in April, detailing widespread campaigns targeting organizations globally. These campaigns predominantly focused on Microsoft 365 environments, directing victims to the Microsoft device code login portal where they inadvertently granted attackers access.

Following successful breaches, attackers were observed gaining access to victims' mailboxes to create malicious inbox rules designed to conceal their presence and activities. In some instances, threat actors also registered new devices within victims' Microsoft environments, thereby expanding their foothold and access within the compromised network. Arctic Wolf's analysis revealed that Kali365 operates as a structured criminal enterprise, comprising platform administrators managing product development, resellers marketing the service, and affiliates executing the phishing attacks.

The platform offers two distinct attack modes. The first is the aforementioned device code phishing. The second, dubbed "Cookie Link," employs an adversary-in-the-middle (AitM) approach. This method involves proxying victims' connections through attacker-controlled infrastructure, enabling the capture of authenticated browser sessions, session cookies, and critical tokens after the target logs in and completes MFA verification.

To mitigate these risks, the FBI strongly advises organizations to implement or strengthen Conditional Access policies to restrict or block device code authentication flows wherever feasible. They also recommend auditing existing device code usage and implementing policies to block authentication session transfers between devices. Furthermore, impacted organizations are urged to report incidents to the Internet Crime Complaint Center (IC3) and meticulously preserve all relevant evidence, including phishing emails, suspicious login records, and unauthorized device registrations. The widespread adoption of device code phishing throughout 2026 highlights the evolving threat landscape and the necessity for continuous vigilance against sophisticated phishing services like Kali365.