Introduction

The FBI’s Internet Crime Complaint Center (IC3) has issued a public warning regarding an emerging phishing-as-a-service (PhaaS) platform known as “Kali365,” which is being used to compromise Microsoft 365 accounts through OAuth token theft and device code phishing techniques.

According to the FBI advisory, Kali365 enables threat actors to bypass multi-factor authentication (MFA) protections without directly stealing user passwords. Instead, attackers abuse legitimate Microsoft authentication workflows to trick victims into authorizing attacker-controlled sessions.

The platform reportedly surfaced in April 2026 and is being distributed primarily through Telegram channels, significantly lowering the technical barrier for cybercriminals seeking to conduct enterprise-focused phishing campaigns.

The campaign highlights the growing shift from credential theft toward session hijacking and identity-token abuse, particularly against cloud-first organizations heavily reliant on Microsoft 365 services such as Outlook, Teams, SharePoint, and OneDrive.

Technical Analysis

Kali365 leverages Microsoft’s OAuth device authorization flow, a legitimate authentication mechanism designed for devices with limited browser functionality.

In a typical device code authentication process, a user receives a short authentication code and is instructed to visit a legitimate Microsoft verification page to complete login approval. The workflow itself is legitimate and commonly used for smart TVs, IoT devices, and command-line applications.

Threat actors operating Kali365 abuse this mechanism by generating attacker-controlled device codes and embedding them into phishing emails impersonating Microsoft services or cloud collaboration platforms.

Victims are instructed to visit a legitimate Microsoft authentication portal and enter the provided code. Once the victim approves the request, Microsoft issues OAuth access and refresh tokens tied to the attacker’s session.

This approach is particularly dangerous because:

  • The authentication occurs on legitimate Microsoft infrastructure.
  • MFA challenges are successfully completed by the victim.
  • No password interception is required.
  • Traditional phishing indicators may be absent.
  • Session persistence can survive password resets in some scenarios.

Once OAuth tokens are obtained, attackers can maintain persistent access to Microsoft 365 services until token revocation or session invalidation occurs.

The FBI states that Kali365 includes several enterprise-grade operational capabilities, including:

  • AI-generated phishing lure creation
  • Automated phishing campaign templates
  • Real-time victim interaction dashboards
  • OAuth token harvesting modules
  • Campaign analytics and monitoring

This operational maturity reflects the continued industrialization of phishing ecosystems, where sophisticated tooling is increasingly accessible to low-skilled threat actors.

Affected Systems

The campaign primarily targets organizations using Microsoft 365 cloud services, including:

  • Microsoft Outlook
  • Microsoft Teams
  • OneDrive
  • SharePoint Online
  • Exchange Online
  • Azure Active Directory / Microsoft Entra ID

Organizations with federated authentication environments or permissive OAuth authorization policies may face elevated risk.

High-value enterprise users are likely priority targets, including:

  • Executives
  • Finance departments
  • Cloud administrators
  • Help desk personnel
  • Legal teams
  • Managed service providers (MSPs)

Attack Method and Threat Activity

The Kali365 attack chain closely resembles device code phishing campaigns previously associated with advanced threat groups and cloud-focused cybercriminal operations.

The general attack sequence includes:

  1. Delivery of phishing emails impersonating trusted Microsoft or collaboration services.
  2. Social engineering instructions directing users to authenticate using a provided device code.

    📬 Stay ahead of the threat

    Get the latest SOC guides, threat intel, and detection engineering — straight to your inbox.

  3. Victim completion of legitimate Microsoft authentication workflows.
  4. OAuth token capture by attackers.
  5. Persistent access to cloud services without requiring credentials.

Because attackers leverage legitimate Microsoft infrastructure, traditional URL filtering and phishing detection solutions may struggle to identify malicious activity.

Additionally, since authentication originates from valid Microsoft domains, user suspicion may be significantly reduced.

The FBI advisory also notes that Kali365 distribution occurs primarily through Telegram-based cybercrime communities, reflecting the growing commercialization of cloud-account takeover tooling.

Detection Opportunities

Security operations teams should prioritize detection engineering around OAuth device code authentication anomalies and suspicious token activity.

Potential detection opportunities include:

  • Unexpected device code authentication requests
  • OAuth authorizations originating from unfamiliar geolocations
  • Abnormal token issuance events
  • High-volume OAuth consent approvals
  • Suspicious Entra ID sign-in logs
  • Concurrent sessions from geographically impossible locations
  • New device registrations tied to privileged users

Microsoft Entra ID logs should be integrated into SIEM platforms for behavioral analytics and threat hunting workflows.

SOC teams should specifically monitor:

  • DeviceCode authentication events
  • Token refresh anomalies
  • Suspicious OAuth application grants
  • Abnormal mailbox access patterns
  • Unauthorized Teams session activity

Threat hunters may also look for indicators of adversary persistence through refresh token reuse and anomalous API activity against Microsoft Graph.

Mitigation Recommendations

Organizations should immediately review Microsoft 365 authentication configurations and harden OAuth authorization workflows.

Recommended defensive measures include:

  • Restrict or disable device code authentication where operationally feasible
  • Implement Conditional Access Policies
  • Enforce phishing-resistant MFA methods such as FIDO2 security keys
  • Require compliant or managed devices for cloud access
  • Monitor and restrict third-party OAuth application consent
  • Review existing OAuth grants regularly
  • Implement session risk scoring and anomaly detection
  • Shorten token lifetimes where possible
  • Enable continuous access evaluation controls

User awareness training should also be updated to specifically address device code phishing attacks, emphasizing that legitimate authentication pages can still be abused for malicious purposes.

Incident response teams should ensure procedures exist for:

  • OAuth token revocation
  • Session invalidation
  • Conditional Access lockdowns
  • Cloud identity compromise investigations
  • Microsoft Graph activity analysis

Business Impact

Kali365 demonstrates how modern phishing campaigns increasingly target identity infrastructure rather than traditional credentials.

Compromise of Microsoft 365 environments can provide attackers with immediate access to sensitive enterprise communications, intellectual property, financial documents, internal collaboration channels, and cloud storage repositories.

Because OAuth token abuse can bypass conventional MFA protections, organizations relying solely on MFA without identity-aware monitoring may have a false sense of security.

The attack model also creates significant challenges for incident response teams because password resets alone may not fully terminate attacker access if active refresh tokens remain valid.

For managed service providers and enterprises with extensive cloud integrations, token compromise may additionally expose downstream SaaS ecosystems and third-party applications.

Final Summary

The FBI’s warning on Kali365 underscores the continued evolution of phishing operations toward cloud identity abuse and OAuth token hijacking.

By abusing legitimate Microsoft authentication workflows, attackers can bypass traditional credential theft defenses and maintain persistent access to enterprise environments with minimal technical complexity.

The emergence of turnkey phishing-as-a-service platforms incorporating AI-generated lures and automated token harvesting further demonstrates the rapid professionalization of cybercrime ecosystems.

Organizations using Microsoft 365 should immediately review device code authentication exposure, strengthen Conditional Access controls, and expand monitoring around OAuth token activity to reduce the risk of identity-based cloud compromise.