A new, sophisticated phishing service is actively targeting Microsoft 365 users, using a legitimate authentication feature to completely bypass multi-factor security.
The FBI has issued a public service announcement regarding Kali365, a phishing-as-a-service (PhaaS) platform that targets Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass multi-factor authentication (MFA).
Key Details
- Kali365 first emerged in April 2026 and is distributed via Telegram channels.
- The platform uses device code phishing, which exploits Microsoft's legitimate OAuth 2.0 Device Authorization grant flow.
- Victims are tricked into entering a code at
http://microsoft.com/devicelogin, which authorizes attackers without requiring them to solve MFA challenges. - Once authorized, attackers gain full access to the victim's Microsoft 365 account and associated applications (e.g., Salesforce).
Campaign Characteristics
Security researchers at Arctic Wolf reported widespread campaigns targeting organizations worldwide. Phishing emails direct victims to Microsoft's device code login portal. After gaining access, attackers create malicious inbox rules to hide activity and register new devices in victims' Microsoft environments.
Platform Structure
Kali365 operates as a business with administrators managing product development, resellers promoting the service, and affiliates conducting attacks. The platform offers two attack modes: device code phishing and an adversary-in-the-middle mode called "Cookie Link" that captures authenticated browser sessions and tokens.
FBI Recommendations
"Restrict or block device code authentication flows using Conditional Access policies where possible."
- Audit existing device code usage.
- Block authentication transfer policies that allow authentication sessions to move between devices.
- Report incidents to the Internet Crime Complaint Center and preserve phishing emails and suspicious login information.
Broader Context
Device code phishing has been adopted by other threat actors and platforms in 2026, including EvilTokens PhaaS and Tycoon2FA. Extortion gangs such as ShinyHunters have previously used similar techniques against Microsoft Entra accounts.