Back
Technology

FBI Warns of Kali365 Phishing-as-a-Service Platform Targeting Microsoft 365 Accounts

Generated on: Last updated: 3 sources
View source

The FBI warns that a new phishing-as-a-service platform, Kali365, is bypassing multi-factor authentication by exploiting a legitimate Microsoft login process.

The Federal Bureau of Investigation's Internet Crime Complaint Center (IC3) has issued a public service announcement regarding Kali365, a phishing-as-a-service (PhaaS) platform. The platform targets Microsoft 365 accounts by exploiting the legitimate OAuth 2.0 Device Authorization grant flow to steal session tokens and bypass multi-factor authentication (MFA).

Platform Overview

Kali365 first emerged in April 2026 and is distributed via Telegram channels, making it accessible to a range of threat actors. The platform operates as a structured business, with administrators managing product development, resellers promoting the service, and affiliates conducting the attacks.

The platform offers two primary attack modes:

  • Device code phishing: Exploits Microsoft's legitimate device code authentication process.
  • Adversary-in-the-middle mode (called "Cookie Link"): Captures authenticated browser sessions and tokens.

Attack Methodology

The attack does not rely on fake login pages to steal credentials. Instead, it abuses trusted Microsoft workflows:

  1. Attackers send phishing emails impersonating trusted cloud productivity or document-sharing services.
  2. The emails direct victims to Microsoft's legitimate device login portal at http://microsoft.com/devicelogin.
  3. Victims are instructed to enter a provided device code, which authorizes attackers without requiring them to solve MFA challenges.
  4. Once authorized, attackers obtain OAuth access tokens, granting full access to the victim's Microsoft 365 account and associated applications (e.g., Outlook, Teams, OneDrive, Salesforce).

Campaign Characteristics

Security researchers at Arctic Wolf reported widespread campaigns targeting organizations globally. After gaining access, attackers create malicious inbox rules to conceal their activity and register new devices in victims' Microsoft environments.

Broader Context

Device code phishing has been adopted by other threat actors and platforms in 2026, including EvilTokens PhaaS and Tycoon2FA. Extortion groups such as ShinyHunters have previously used similar techniques against Microsoft Entra accounts. Proofpoint has noted that device code phishing is increasing with emerging phishing-as-a-service offerings.

Mitigation Recommendations

The FBI and security researchers have issued the following recommendations:

For Organizations:

  • Restrict or block device code authentication flows using Conditional Access policies where possible.
  • Audit existing device code usage.
  • Block authentication transfer policies that allow authentication sessions to move between devices.
  • Implement token protection, device compliance checks, session monitoring, least-privilege controls, and strong logging.

For Users:

  • Do not follow links to unexpected documents.
  • Be wary of any email prompting an action or containing a link.
  • Verify the email's validity before clicking anything.

Incident Response:

  • Preserve phishing emails and suspicious login information.
  • Report incidents to the Internet Crime Complaint Center.

Authentication Context

Microsoft is moving its customers toward phishing-resistant sign-in methods, such as passkeys. Unlike passwords or one-time codes, passkeys are cryptographic credentials stored on a user's device and protected by biometrics or local authentication. The Kali365 warning indicates that not all MFA provides equal protection, as one-time codes sent by SMS, push prompts, and authentication flows that rely on user approval can remain vulnerable.