What happened
The FBI issued an advisory on Thursday about Kali365, a Telegram-based phishing-as-a-service platform first observed in April 2026 that enables cybercriminals to capture OAuth tokens and gain persistent access to Microsoft 365 accounts without stealing passwords or bypassing MFA through credential interception. Multiple cybersecurity firms reported hundreds of attacks enabled by the platform throughout April.
Kali365 works by sending phishing emails that impersonate trusted cloud productivity and document-sharing services, directing victims to legitimate Microsoft verification pages. When a victim enters the code provided, they unknowingly authorize the attacker’s device to access their account through Microsoft’s device login flow. The resulting OAuth access and refresh tokens provide immediate access to Outlook, Teams, and OneDrive without requiring passwords or additional verification. Captured tokens are stored by the platform and can be shared and reused.
Arctic Wolf, which investigated a large April campaign enabled by Kali365 and gained access to the platform itself, found it offered three pricing tiers ranging from $250 for 30 days to $2,000 for 365 days. The platform generates branded phishing lures impersonating Adobe, DocuSign, and SharePoint in dozens of languages, produces HTML phishing pages and emails, and offers a downloadable desktop version. In confirmed incidents, threat actors used captured tokens to access mailboxes, harvest contacts, conduct lateral phishing, monitor keywords for business email compromise, and establish malicious inbox rules to suppress security notifications and extend dwell time.
Who is affected
Organizations using Microsoft 365 across all sectors face exposure. The platform’s AI-generated lures, automated campaign templates, and multi-language support make it accessible to less technically skilled attackers, broadening the potential threat actor pool beyond sophisticated groups. Any employee who receives a device authorization request through what appears to be a legitimate Microsoft page is a potential target.
Why CISOs should care
Kali365 bypasses MFA entirely because it exploits OAuth device code flow rather than stealing credentials. Users complete a legitimate Microsoft authentication step, and the authentication succeeds as intended from Microsoft’s perspective. Standard MFA controls that protect against password-based attacks provide no protection here. The captured tokens persist beyond the initial session and can be reused, shared, and applied for post-compromise activities including inbox rule manipulation designed specifically to hide evidence of the compromise from the account owner.
The platform’s professionalisation, complete with tiered pricing, multi-language support, branded lures, and a desktop client, reflects the same as-a-service commoditization trend seen in Fox Tempest and Kali365 appearing in the same week.
3 practical actions
- Implement Conditional Access policies that restrict OAuth token use to compliant, managed devices: OAuth tokens captured by Kali365 are used from attacker-controlled devices. Conditional Access policies that require device compliance or Entra ID join as a condition of token validity significantly limit the usability of stolen tokens on infrastructure outside your organization’s control.
- Monitor Microsoft 365 audit logs for anomalous device authorization events and newly created inbox rules: The Kali365 attack chain produces detectable artifacts including device code authorization from unfamiliar devices and inbox rule creation shortly after authentication. Configure alerts for new inbox rules that redirect, delete, or mark as read emails matching security notification keywords, and review device authorization events for patterns inconsistent with known user behavior.
- Train employees specifically on device code phishing as a distinct attack pattern from credential phishing: Standard phishing training that focuses on fake login pages does not address device code flow abuse. Brief employees on the specific scenario of receiving unsolicited emails directing them to enter codes on legitimate Microsoft pages, treating any such unsolicited request as a high-confidence phishing indicator regardless of how legitimate the destination page appears.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.