Kali365 PhaaS Kit Bypasses Microsoft 365 MFA via Device Code Phishing — FBI Warning

The FBI issued a Public Service Announcement on May 21, 2026 warning of Kali365, a Phishing-as-a-Service (PhaaS — a criminal marketplace model where phishing toolkits, infrastructure, and support are rented to other attackers for a subscription fee) platform that targets Microsoft 365 users by stealing OAuth access tokens and entirely bypassing multi-factor authentication (MFA). Kali365 abuses a legitimate Microsoft authentication flow — device code authorization — to trick users into granting persistent, credential-less access to their accounts. Arctic Wolf Labs first observed large-scale campaigns in April 2026; Proofpoint has tracked at least seven distinct tools using nearly identical Kali365-based techniques. Hundreds of organizations across North America and EMEA are being compromised daily.

// 01 Kali365: Technical Details

Kali365 operates as a three-tier PhaaS ecosystem distributed via Telegram, priced at $250 for 30 days or $2,000 for a full year. The platform provides admin, reseller (agent), and affiliate tiers with real-time campaign dashboards, AI-generated phishing lures in 14 languages, and automated token capture infrastructure.

The core attack mechanism exploits device code phishing — a technique that abuses the OAuth 2.0 Device Authorization Grant flow (a standard authentication method designed to allow devices without browsers, like smart TVs, to authenticate a user through a separate device). The attack sequence:

• Lure delivery: The victim receives a phishing email impersonating a trusted enterprise service — Adobe Acrobat Sign, DocuSign, or SharePoint — with urgent business framing (contract ready for signature, invoice awaiting review).
• Device code generation: The attacker pre-generates a legitimate Microsoft device authorization code from login.microsoftonline.com. This code is real — it is produced by Microsoft's own authentication infrastructure.
• User interaction: The email instructs the victim to visit login.microsoftonline.com/common/oauth2/deviceauth (a real Microsoft URL) and enter the provided device code. When the victim completes this step, they are authenticating the attacker's registered application.
• Token capture: Kali365 infrastructure intercepts the resulting OAuth access token and refresh token (a long-lived credential that allows generating new access tokens without re-authenticating).
• Persistent access: The refresh token grants ongoing access to the victim's Outlook email, Microsoft Teams, OneDrive, and all other Microsoft 365 services — without the attacker ever knowing the victim's password, and without triggering MFA prompts on subsequent access.

The critical insight is that MFA is completely bypassed — the user's MFA device is only involved in the initial device authorization step (step 3), which the victim completes voluntarily under the belief they are accessing a legitimate service. The resulting token is already authenticated.

Kali365 also supports adversary-in-the-middle (AiTM — a technique where attacker infrastructure sits between the victim and the real authentication server, relaying traffic while capturing credentials and session cookies) approaches for capturing session cookies in addition to OAuth tokens.

Post-compromise, Kali365 affiliates create malicious inbox rules (hidden email forwarding or filtering rules) to suppress Microsoft security notifications that would alert the victim to unauthorized access.

// 02 Exploitation Status and Threat Landscape

The FBI's IC3 warning notes hundreds of compromises occurring daily across affected environments. Microsoft's Tanmay Ganacharya has confirmed the scale of targeting. Proofpoint researchers describe the campaigns as "very much AI generated, AI driven" — Kali365's AI-generated lure capability allows affiliates to produce unique, contextually appropriate phishing emails at machine scale, defeating many signature-based email filtering controls.

Kali365 is one of at least seven closely related device-code phishing platforms that appeared within a 10-day window in April–May 2026, suggesting a shared codebase or rapid ecosystem adoption of the technique. This convergence indicates device code phishing has crossed from an advanced technique into mainstream cybercriminal tradecraft.

The technique is particularly dangerous because it does not require the victim to enter credentials on a fake login page — a red flag that security awareness training has historically focused on. Instead, the victim authenticates on a real Microsoft URL with a real device code. Behavioral analysis and anomaly detection on token grants are required to identify this activity, not just anti-phishing link scanning.

// 03 Who Is Affected

Organizations running Microsoft 365 in any of the following sectors have been confirmed targets:

• Manufacturing
• Education
• Government
• Insurance
• Financial Services
• Healthcare

Geographic targeting is concentrated in North America and EMEA, though the platform's multi-language support (14 languages with AI generation) makes global targeting straightforward.

Any Microsoft 365 tenant relying solely on password and MFA (TOTP, SMS, push notification) for authentication is vulnerable. Organizations using FIDO2 hardware security keys or certificate-based authentication are significantly more resistant, as these methods bind authentication to the physical device and cannot be replicated through a device authorization code flow.

// 04 What You Should Do Right Now

• Block device code flow at the Conditional Access level. In Azure Active Directory / Microsoft Entra ID, create a Conditional Access policy that blocks the device code authorization grant (urn:ietf:params:oauth:grant-type:device_code) for all users or restrict it to approved, managed devices. This is the most effective mitigation against Kali365-style attacks.

• Audit existing OAuth token grants. In the Microsoft Entra admin center, review "Enterprise Applications" and "App registrations" for recently created or consented applications. Revoke suspicious OAuth grants, particularly those authorized by users who report receiving phishing emails.

• Search email logs for device code phishing lures. Look for emails referencing login.microsoftonline.com/common/oauth2/deviceauth or device.login.microsoftonline.com. Emails impersonating Adobe Acrobat Sign, DocuSign, or SharePoint with these URLs are strong indicators of a Kali365 campaign.

• Check for malicious inbox rules. Use the Microsoft Security & Compliance Center or PowerShell (Get-InboxRule -Mailbox <user>) to audit all users for inbox rules forwarding email to external addresses or suppressing Microsoft security notifications.

• Block known Kali365 infrastructure. Block the following at your perimeter:
• 216.203.20[.]95
• 162.243.166[.]119
• 199.91.220[.]111
• Domains ending in -endpoint.com with randomized subdomains
• User-Agent string: kali365-live/1.0.0

• Transition high-risk users to phishing-resistant MFA. Deploy FIDO2 hardware security keys (YubiKey, Google Titan) for privileged accounts, executive users, and accounts with access to sensitive data. This authentication class is resistant to device code phishing by design.

// 05 Background: Understanding the Risk

The OAuth 2.0 Device Authorization Grant (RFC 8628) was designed for a legitimate purpose: allowing "input-constrained" devices (smart TVs, printers, IoT hardware) to authenticate users without requiring the device itself to have a full browser. In the legitimate flow, a user sees a code on a TV screen and visits a URL on their phone to authorize it. Kali365 inverts this — the attacker is the "device," and the victim is unknowingly granting it authorization.

This technique predates Kali365 — Microsoft's own security team documented device code phishing as early as 2021 — but the commoditization via PhaaS infrastructure has dramatically lowered the barrier to entry. Previously, running device code phishing campaigns required custom infrastructure and manual token management. Kali365 automates the entire pipeline: generating codes, hosting lure pages, capturing tokens, managing multi-tenant affiliate dashboards, and providing real-time targeting analytics.

The broader implication is a shift in the phishing threat model. Traditional anti-phishing defenses focus on detecting fake login pages that harvest passwords. Device code phishing never involves a fake login page — the victim authenticates on real Microsoft infrastructure. This means investments in URL reputation filtering, credential phishing detection, and even password manager auto-fill protections provide little defense against Kali365.

Identity-centric detection — monitoring OAuth token grant events, flagging device code authorizations from endpoints that haven't previously used the flow, and detecting anomalous sign-in patterns after token issuance — is the required defensive shift.

// 06 Conclusion

Kali365 represents the industrialization of a sophisticated MFA bypass technique into a commodity criminal service available for $250/month. Any Microsoft 365 organization that has not blocked device code authorization grants at the Conditional Access layer is exposed to a technique that the FBI has confirmed is producing hundreds of daily compromises. Disabling or restricting device code flow, auditing existing OAuth grants, and hunting for malicious inbox rules are the three most important immediate actions; FIDO2 hardware keys eliminate the attack surface entirely for accounts where they are deployed.