top of page

FBI Alert: Kali365 Phishing Kit Rapidly Targeting Microsoft 365 Users

  • May 22
  • 3 min read

Key Findings


  • FBI issued public service announcement about Kali365, a phishing-as-a-service platform targeting Microsoft 365 users since April 2026

  • Platform bypasses multi-factor authentication by abusing OAuth device code authorization flows

  • Kali365 lowers technical barriers for cybercriminals by providing AI-generated phishing lures, automated templates, and real-time tracking dashboards

  • Captured OAuth tokens grant persistent access to Microsoft 365 accounts, enabling data theft, fraud, extortion and ransomware

  • Device-code phishing activity exploded starting in February, with seven nearly identical tools observed in a single 10-day period

  • Platform charges $250 for 30-day access or $2,000 annually, primarily distributed via Telegram


Background


Device-code phishing represents an evolution in how threat actors bypass security controls. Rather than stealing credentials and second-factor authentication codes through traditional phishing, these platforms exploit legitimate Microsoft device authorization pages to grant malicious applications persistent account access. The technique requires fewer user interactions than older methods, making it more effective while appearing less suspicious to defenders unfamiliar with the attack vector. Arctic Wolf Labs and Proofpoint have both documented rapid growth in these tools, noting the shift coincided with widespread integration of AI-generated content and templates.


How Kali365 Works


The attack begins with phishing emails impersonating legitimate services like SharePoint, OneDrive, DocuSign, or Adobe Acrobat Sign. The message contains a device code and directs recipients to a real Microsoft verification page where they paste the code. This single action grants the attacker's application permission to access the victim's account without requiring a password or additional authentication factors.


Once authorized, Kali365 captures OAuth access and refresh tokens, which function as digital keys that keep users logged into applications. These tokens bypass multi-factor authentication entirely and remain valid for extended periods, allowing attackers sustained access to Outlook, Teams, and OneDrive. The captured tokens are stored on the Kali365 platform and made available to affiliates, who can also share them with other cybercriminals uninvolved in the original phishing campaign.


Why Device-Code Phishing is Growing


Security researchers attribute the rapid adoption of device-code platforms to their effectiveness compared to traditional credential-stealing approaches. The attack requires fewer steps, less user interaction, and victims often don't recognize it as a compromise since they're following what appears to be a legitimate authorization process on genuine Microsoft pages.


Proofpoint senior threat researcher Selena Larson noted that the tools are nearly identical, relying heavily on AI-generated phishing content and identical branding across multiple platforms. This standardization, combined with lower technical barriers for entry-level attackers, has driven explosive growth since February 2026. The emergence of seven functionally similar tools within a ten-day period last month underscores the trend's acceleration.


Kali365's Business Model


The platform operates as a subscription service priced at $250 monthly or $2,000 annually, making it accessible to less-experienced threat actors. Kali365 abstracts away technical complexity by providing ready-made components including AI-generated phishing templates, automated campaign management, real-time dashboards for tracking targets, and OAuth token capture functionality. This accessibility has proven attractive to cybercriminals seeking to lower their operational overhead while maintaining effectiveness.


The platform primarily advertises itself through Telegram channels, where operators can purchase access and begin campaigns quickly. According to Arctic Wolf researchers, realistic phishing subject lines used in active campaigns include "SharePoint – Document Shared," "OneDrive – File Shared," "Microsoft 365 – Voicemail," and "DocuSign – Signature Required."


Post-Compromise Impact


Once attackers obtain valid OAuth tokens, the damage extends far beyond simple account access. Stolen tokens provide entry points to launch follow-on attacks including data exfiltration for extortion, business email compromise schemes, account impersonation, fraud, and ransomware deployment. The persistent nature of token-based access means attackers can move through Microsoft services without triggering repeated authentication prompts, allowing them to operate undetected for extended periods.


Identity access represents particularly valuable leverage within compromised organizations, as attackers can impersonate legitimate users and move laterally across multiple services and departments.


Recommended Mitigations


The FBI and CISA recommend organizations disable or strictly limit device code authentication flows where possible. IT teams should implement robust monitoring and logging of device code usage, establish strict conditional access policies, and block authentication transfer policies that allow credentials to move between devices.


Organizations must balance security with operational needs by maintaining emergency access accounts to prevent lockouts. Ongoing monitoring and user education about device-code phishing lures remain critical defensive measures until widespread adoption of these mitigations occurs.


Sources


  • https://cyberscoop.com/fbi-phishing-kali365-microsoft365-access-tokens/

  • https://hackread.com/fbi-kali365-phishing-service-microsoft-365-account/

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page