FBI warns of Kali365 phishing service targeting Microsoft 365 accounts
Source: Bleeping Computer
The FBI is warning about the Kali365 phishing‑as‑a‑service (PhaaS) platform, which is used to hijack Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass multi‑factor authentication (MFA).
According to the FBI PSA, Kali365 first emerged in April 2026 and is distributed via Telegram channels for cybercriminals seeking an easier way to compromise Microsoft 365 accounts without stealing passwords or intercepting MFA codes.
Device code phishing
The platform uses device code phishing, an increasingly popular method that abuses Microsoft’s legitimate OAuth 2.0 Device Authorization grant flow to gain access to Microsoft Entra and Microsoft 365 accounts.
This authentication method was created to allow devices with limited input capabilities—such as smart TVs, conference‑room systems, streaming devices, printers, and IoT devices—to authenticate via another device using a short code at Microsoft’s device‑code login portal.
Device code authentication form
Source: BleepingComputer
In February, BleepingComputer reported that extortion gangs, including the ShinyHunters cybercrime group, were targeting Microsoft Entra accounts via device‑code and voice phishing.
Attack flow
- Threat actors initiate the device authorization process themselves to generate a code.
- They trick targets into entering the code on Microsoft’s login page via phishing and social engineering.
- Once the victim enters the code and completes MFA, Microsoft issues an OAuth access token.
- The token grants the attacker full access to the user’s account without requiring additional MFA challenges.
The attacker then gains the same single‑sign‑on privileges as the victim, including access to Microsoft 365, Salesforce, or any other cloud SaaS platforms, which can be used to steal data.
FBI warning on Kali365
The FBI warns that Kali365 gives even low‑skilled attackers advanced phishing capabilities, such as:
- AI‑generated phishing lures
- Automated campaign templates
- Real‑time victim‑tracking dashboards
- Token‑capture functionality
Findings from Arctic Wolf
Security researchers at Arctic Wolf reported widespread Kali365 activity in April 2026. Their observations include:
- Campaigns primarily targeted Microsoft 365 environments with phishing emails that directed victims to Microsoft’s device‑code login portal, where they unknowingly authorized attackers.
- Attackers gained access to victims’ mailboxes and created malicious inbox rules to hide their activity.
- In some cases, attackers registered new devices in victims’ Microsoft environments, further extending their foothold.
- Kali365 operates as a business with admins (product development), resellers (promoting the service), and affiliates (conducting phishing attacks).
- The platform offers two attack modes:
- Device code phishing (described above)
- Adversary‑in‑the‑middle (AitM) “Cookie Link” – proxies victims through attacker‑controlled infrastructure to capture authenticated browser sessions, cookies, and tokens after MFA is completed.
Recommendations
The FBI recommends that organizations:
- Restrict or block device‑code authentication flows using Conditional Access policies where possible.
- Audit existing device‑code usage and remove unnecessary registrations.
- Block authentication transfer policies that allow sessions to move between devices.
- Report incidents to the Internet Crime Complaint Center (IC3).
- Preserve evidence such as phishing emails, suspicious login information, and unauthorized device registrations.
Related threat actors and services
Device code phishing has seen widespread adoption in 2026. Other platforms leveraging the same technique include:
These services also target Microsoft 365 and Entra accounts using device‑code phishing.