Bright Nexus

Published on May 25, 2026

FBI Warns of Kali365 Phishing Platform Targeting Microsoft 365 Accounts

Severity
High

Detail

The Federal Bureau of Investigation (FBI) has issued a warning regarding an emerging phishing-as-a-service (PhaaS) platform known as “Kali365,” which is actively targeting Microsoft 365 environments. The platform is designed to compromise Microsoft 365 accounts by abusing OAuth device code authentication mechanisms to capture access tokens and circumvent multi-factor authentication (MFA).

Kali365 was first identified in April 2026 and is reportedly distributed through Telegram channels, allowing cybercriminals with minimal technical expertise to launch sophisticated phishing campaigns against organizations worldwide.

How?

The attack relies on a phishing method known as “device code phishing,” which targets Microsoft’s OAuth 2.0 Device Authorization Grant flow. This authentication process is commonly designed for devices that have restricted input capabilities, including smart televisions, conferencing systems, printers, streaming hardware, and other IoT devices.

  1. The attacker initiates a legitimate device authentication request through Microsoft services and generates a valid device code.
  2. Victims receive phishing emails or messages impersonating trusted organizations or services. The phishing content instructs the victim to authenticate using the provided device code.
  3. The victim is redirected to Microsoft’s legitimate device login page and enters the attacker-generated code.
  4. The victim completes authentication using valid credentials and multi-factor authentication approval.
  5. After successful authentication, Microsoft issues OAuth access and refresh tokens associated with the victim’s account.
  6. Kali365 captures these authentication tokens and provides them directly to the attacker.
  7. The attacker uses the stolen tokens to access Microsoft 365 services without requiring the victim’s password or additional MFA challenges.

As the authentication occurs on legitimate Microsoft infrastructure, the activity may appear valid to users and some security controls, making detection more difficult.

Impact

Successful exploitation allows attackers to gain persistent access to Microsoft 365 environments and any associated cloud services integrated through single sign-on (SSO). This may include applications such as Outlook, Teams, SharePoint, OneDrive, Salesforce, and other Software-as-a-Service (SaaS) platforms.

  • Researchers observed attackers using compromised accounts to:
  • Access corporate mailboxes
  • Create malicious inbox rules to conceal suspicious activity
  • Register unauthorized devices within the victim environment
  • Maintain extended access to targeted networks
  • Conduct data theft and potential business email compromise (BEC) activities

Security researchers from Arctic Wolf reported that the campaigns affected organizations globally and primarily targeted Microsoft 365 tenants through phishing emails directing users to Microsoft’s device login portal.

Recommendation

Organizations are advised to implement the following mitigation measures:

  • Restrict or disable device code authentication flows where operationally feasible
  • Enforce Conditional Access Policies to limit risky authentication methods
  • Review and monitor device code authentication activity regularly
  • Block authentication transfer policies that permit authentication sessions to move between devices
  • Monitor for unauthorized device registrations within Microsoft Entra and Microsoft 365 environments
  • Educate users regarding device code phishing and suspicious authentication requests
  • Preserve suspicious emails, authentication logs, and device registration records for investigation purposes

The FBI additionally recommends reporting related incidents to the Internet Crime Complaint Center (IC3).

Conclusion

Kali365 demonstrates the continued evolution of phishing-as-a-service platforms that focus on token theft rather than credential theft. By abusing legitimate Microsoft OAuth authentication mechanisms, attackers can bypass conventional MFA protections and obtain persistent cloud access using stolen authentication tokens.

Organizations leveraging Microsoft 365 should review their OAuth authentication policies, enhance monitoring for device code authentication activity, and improve user awareness to defend against increasingly sophisticated token-based phishing attacks.

Source

https://www.bleepingcomputer.com/news/security/fbi-warns-of-kali365-phishing-service-targeting-microsoft-365-accounts/