“Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” the FBI warned in a public service announcement Thursday.
Kali365 and the FBI’s characterization of the threat
The FBI describes Kali365 as a rapidly growing phishing-as-a-service platform that retrieves Microsoft 365 access tokens. According to the agency, the toolkit bypasses multi-factor authentication and abuses OAuth device code authorizations via phishing lures that impersonate common enterprise services. When successful, the technique links cybercriminal-controlled applications to legitimate Microsoft 365 accounts and exposes victims to follow-on malicious activity including data theft, fraud, extortion and ransomware attacks.
How device-code phishing differs from traditional MFA phishing
Device-code phishing platforms like Kali365 do not primarily rely on stolen passwords or intercepted second-factor codes. Instead, they prompt victims to paste a short device authorization code generated by the phishing platform. That single code completes an OAuth flow that connects a malicious application to the user’s account. The FBI and researchers note the process requires fewer steps and less interaction with the user than traditional credential-and-MFA-code phishing campaigns, and captured access and refresh tokens give attackers persistent access across multiple Microsoft services without additional password or MFA prompts.
Researcher observations: Proofpoint and Arctic Wolf Labs
Proofpoint senior threat researcher Selena Larson told CyberScoop the device-code phishing surge looks uniform: “We see quite a bit of this device-code phishing activity, but so much of it looks really similar. They’re all using the same types of lures, the same types of content, the same branding.” Larson added that the campaigns are “very much AI generated, AI driven,” and that the threat actors appear to be finding them effective. Proofpoint researchers observed seven device-code phishing tools that looked nearly identical during a 10-day period “last month.”
Arctic Wolf Labs has also tracked large-scale campaigns linked to Kali365 and reported details about the platform’s business model: affiliates are charged $250 for 30 days of service or $2,000 for a full year. Arctic Wolf researchers said Kali365 stores the OAuth access and refresh tokens it captures and makes those tokens available to affiliates on its platform; those tokens can also be shared and reused by other cybercriminals who did not participate in the initial lure.
Distribution, features, and monetization of Kali365
The FBI reported Kali365 came online by April and was primarily distributed on Telegram. The agency’s announcement described a package of capabilities that lowers the technical barrier for less-skilled attackers: AI-generated phishing lures, automated campaign templates, real-time targeting and tracking dashboards, and OAuth token capture. The affiliate pricing and token-sharing model reported by Arctic Wolf mean captured tokens can be circulated and reused beyond the original phishing campaign’s participants.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams will be watching for abuse of OAuth device authorization flows and the appearance of persistent Microsoft 365 access tokens that permit movement across services without further MFA prompts.
- Procurement leaders and defenders should note the low barrier to entry created by an affiliate model priced at $250 per month or $2,000 per year, which can broaden the pool of attackers using a turnkey platform distributed on Telegram.
- End users and administrators will face a slightly different social-engineering pattern: rather than entering credentials and MFA codes, victims are asked to copy-and-paste a device code—an action that, according to the FBI and researchers, is sufficient to grant attackers OAuth access to accounts.
Conclusion
The FBI’s public service announcement and corroborating researcher reports portray Kali365 as part of a broader surge in device-code phishing that accelerated after February and was active by April. The combination of AI-generated lures, streamlined OAuth flows, a subscription affiliate model, and token storage and sharing creates a practical mechanism for attackers to gain persistent Microsoft 365 access without traditional credential theft. The core, concrete question the record leaves is operational: with tokens captured, stored and potentially reused across multiple criminals, who and how will monitor, block or remediate the ongoing reuse of those tokens in live environments?
Original reporting: https://cyberscoop.com/fbi-phishing-kali365-microsoft365-access-tokens/




