699eee792235758e12e070c1
FBI warns of Kali365 phishing service targeting Microsoft 365 accounts
FBI warns of Kali365, a phishing-as-a-service platform that hijacks Microsoft 365 and Entra accounts by abusing OAuth device-code authentication to steal session tokens and bypass MFA. Emerged in April 2026 and distributed via Telegram, it directs victims to a device-login portal to authorize attackers, granting access to cloud apps. Kali365 operates as a business with admins, resellers, and affiliates, and offers two attack modes: device-code phishing and an adversary-in-the-middle “Cookie Link” that captures tokens. The FBI urges organizations to block device-code authentication flows with Conditional Access, audit usage, and report incidents to IC3, noting that device-code phishing is becoming widespread in 2026 alongside EvilTokens and Tycoon2FA.
FBI WARNS OF KALI365 PHISHING SERVICE TARGETING MICROSOFT 365 ACCOUNTS
OverviewThe security landscape has seen a new phishing-as-a-service platform, Kali365, that targets Microsoft 365 accounts by abusing the OAuth device code authentication flow. The operation is designed to steal session tokens and bypass multi-factor authentication, enabling attackers to access sensitive data across cloud applications tied to a user’s single sign-on. The FBI’s public alert describes Kali365 as a turnkey toolset that lowers the barrier to compromise for a wide range of threat actors, from low-skill operators to organized groups.
Emergence and DistributionKali365 first appeared in April 2026 and quickly established distribution channels through messaging platforms used by criminals. Telegram channels have been identified as a primary route for sharing the service, tutorials, and related infrastructure. This mode of distribution reflects a broader trend in which phishing tooling is packaged as accessible services, allowing non-technical actors to deploy sophisticated campaigns with relatively little effort.
How Kali365 Works: Device Code Phishing and OAuth 2.0At the heart of Kali365 is device code phishing, which exploits Microsoft’s legitimate OAuth 2.0 Device Authorization grant flow. The device code flow is intended for devices with limited input capabilities—such as smart TVs, conference systems, and printers—and directs users to a login portal (the Microsoft device login page) to authorize the device using a short code. In the Kali365 campaigns, attackers lure victims to enter a device code on a phishing page that mirrors the official Microsoft portal. Once the victim enters the code and completes any required MFA, Microsoft issues an OAuth access token, granting the attacker broad access to the user’s account without further MFA challenges.
Historical contextSecurity researchers have previously documented device-code abuse in related campaigns. In February, reports highlighted extortion gangs targeting Microsoft Entra accounts through device-code phishing and social engineering. The attackers initiated the device authorization themselves, tricked victims into submitting the code, and then leveraged MFA completions to obtain access tokens. This history helps explain why Kali365’s deployment is especially dangerous, as it enables attackers to access a user’s mailbox, permissions, and connected SaaS services through a single compromised identity.
Campaign dynamics and attacker capabilitiesKali365 campaigns emphasize automation and scale. The platform offers features that appeal to criminals, including:
- AI-generated phishing lures to improve engagement and success rates
- Automated campaign templates enabling rapid deployment
- Real-time dashboards for victim tracking and campaign monitoring
- Token-capture functionality to retrieve session tokens after successful login and MFA
Attack flow and impactIn typical Kali365 intrusions, threat actors initiate the device authorization process themselves to generate a code. They then direct targets to a phishing page where the victim enters the code and solves MFA. The resulting OAuth access token gives attackers access to the user’s Microsoft 365 environment and any other integrated SaaS services accessible via the same SSO session. Once inside, attackers can read emails, access calendars, and interact with a range of cloud-based tools, potentially compromising data across multiple platforms beyond Microsoft 365.
Kali365’s Operational Model and Attack ModesArctic Wolf researchers documented Kali365 operating as a structured business with distinct roles:
- Admins who manage product development and infrastructure
- Resellers who promote the service to other threat actors
- Affiliates who directly carry out phishing campaigns against targets
The platform reportedly supports two primary attack modes:1) Device code phishing, the classic method described above that exploits the device authorization flow2) Adversary-in-the-middle (AitM) mode colloquially referred to as “Cookie Link,” which routes victims through attacker-controlled infrastructure to capture authenticated sessions. In this mode, the attacker can harvest session cookies and tokens after login and MFA, extending access and enabling stealthy persistence.
Notable findings from the Arctic Wolf investigation
- Kali365 campaigns have been observed targeting Microsoft 365 environments through phishing emails that direct victims to the device login portal.
- Victims’ authorizations allow attackers to access mailboxes and other services; attackers often set up inbox rules to conceal their activity.
- In some cases, attackers registered new devices within the victim’s Microsoft environment to widen their foothold and move laterally.
- The operation is described as having a multi-layer structure, with administrators, promoters, and campaign operators coordinating to maximize reach and impact.
Related platforms and ecosystem contextKali365 is part of a broader ecosystem of device-code phishing tools and services that emerged in 2026. Other notable examples include EvilTokens, a PhaaS that leverages device-code phishing to compromise Microsoft accounts, and Tycoon2FA, which also targets Microsoft 365 and Entra accounts via similar techniques. Together, these tools illustrate a shift toward commoditized phishing capabilities that bypass strong authentication barriers and enable rapid, widespread compromise.
Visual and contextual referencesThe ongoing coverage around Kali365 includes public discussions of device code authentication forms and related phishing pages. Visuals commonly show the device login form, phishing banners designed to resemble Microsoft’s official portal, and dashboards used by operators to monitor campaigns. These elements help explain how attackers create convincing impersonations and streamline the credential-grab process.
Closing contextThe Kali365 phenomenon underscores a broader shift in phishing campaigns toward abusing legitimate authentication mechanisms rather than simply stealing passwords. By leveraging device code flows and malicious “Cookie Link” pathways, attackers gain stealthy, scalable access to a broad range of cloud services. The FBI’s alert and independent research strands emphasize the importance of recognizing device-code phishing as a credible threat vector in 2026, with campaigns designed to exploit the trust users place in standard enterprise authentication processes. As organizations continue to migrate to cloud-based identity ecosystems, Kali365 serves as a reminder of the evolving tactics used by criminal actors to bypass layered defenses and extract sensitive data from Microsoft Entra, Microsoft 365, and allied platforms.
