How Kali365 hijacks Microsoft 365 via OAuth device codes
Kali365 exploits Microsoft's OAuth 2.0 Device Authorization grant flow — the mechanism designed to let devices with limited input (smart TVs, conference-room systems, streaming devices, printers, IoT devices) authenticate by having a user enter a short code at Microsoft’s device code login portal, http://microsoft.com/devicelogin. Threat actors initiate the device authorization process themselves to generate a code, then trick targets into entering it via phishing and social engineering. Once the victim enters the code and completes multi-factor authentication (MFA), Microsoft issues an OAuth access token that grants the attacker full access to the victim’s Microsoft Entra and Microsoft 365 account without the attacker solving any further MFA challenges.
Kali365’s features and business model
The FBI describes Kali365 as a phishing-as-a-service (PhaaS) platform distributed via Telegram channels. According to the advisory, the service packages advanced capabilities that lower the skill required for account takeovers: AI-generated phishing lures, automated campaign templates, real-time victim-tracking dashboards, and token-capture functionality. Security researchers at Arctic Wolf reported Kali365 operates like a business, with administrators handling product development, resellers promoting the service, and affiliates conducting phishing campaigns.
Two attack modes: device code phishing and "Cookie Link"
Arctic Wolf and the FBI say Kali365 offers two distinct modes. The primary mode abuses device-code authentication as described above. The second is an adversary-in-the-middle (AitM) mode called "Cookie Link," which proxies victims through attacker-controlled infrastructure, captures authenticated browser sessions, and harvests session cookies and tokens after targets log in and complete MFA. Those captured tokens and cookies can be used to impersonate users and access cloud resources tied to their single-sign-on privileges.
Observed campaign activity and consequences
Arctic Wolf reported a widespread campaign in April that targeted organizations worldwide. The campaigns mainly used phishing emails to steer victims to Microsoft's device code portal; after authorization, attackers accessed mailboxes and created malicious inbox rules intended to hide their activity. In some incidents, attackers also registered new devices in victims' Microsoft environments, extending their foothold. BleepingComputer earlier reported that extortion gangs, including the ShinyHunters cybercrime group, were using device-code and voice phishing to target Microsoft Entra accounts.
FBI mitigation recommendations
The FBI recommends several concrete steps organizations can take to blunt these attacks. Where possible, organizations should restrict or completely block device code authentication flows using Conditional Access policies, audit existing device code usage, and block authentication transfer policies that allow authentication sessions to move between devices. The agency also urged impacted organizations to report incidents to the Internet Crime Complaint Center and to preserve phishing emails, suspicious login information, and records of unauthorized device registrations.
What this means for security teams, enterprises, and end users
- Security teams: Prioritize Conditional Access controls and audits that identify and block device code flows and authentication transfer policies, and monitor for new device registrations and mailbox rules indicative of post-compromise activity.
- Enterprises and procurement leaders: Expect phishing-as-a-service models like Kali365 to be distributed and promoted through reseller and affiliate ecosystems; review vendor and access policies to limit high-risk sign-in flows and require logging and retention for device registrations and token-related events.
- End users and general staff: Be cautious when prompted to enter short codes at http://microsoft.com/devicelogin or similar portals after unsolicited requests; social engineering that requests code entry can grant attackers persistent access even after MFA appears to have succeeded.
Device code phishing is no longer a niche technique: the FBI notes that it has seen widespread adoption in 2026 and that other PhaaS and tools — including EvilTokens PhaaS and Tycoon2FA — are using the same approach to compromise Microsoft 365 and Entra accounts. The practical consequence is clear: a legitimate convenience flow intended for devices with limited input is being repurposed as an access vector, and the defenses the FBI recommends (Conditional Access policy changes, audits, and preservation and reporting of evidence) are the immediate levers organizations can pull.
Whether organizations will move quickly to restrict device-code flows without disrupting legitimate device scenarios is the operational question the advisory leaves squarely to defenders. For now, the record is stark: Kali365 packages token-capture and AitM techniques into a marketplace product, and the FBI and Arctic Wolf’s observations show the model works in practice.
Source: BleepingComputer — FBI warns of Kali365 phishing service targeting Microsoft 365 accounts




