FBI warns of Kali365 phishing service targeting Microsoft 365 accounts
The FBI has issued a warning about Kali365, a phishing-as-a-service platform that targets Microsoft 365 accounts by abusing OAuth device code authentication. This method allows attackers to steal session tokens and bypass multi-factor authentication (MFA) without needing passwords or MFA codes. Kali365 enables even low-skilled attackers to conduct sophisticated phishing campaigns using AI-generated lures, automated templates, and real-time victim tracking. The platform operates as a business with administrators, resellers, and affiliates. The FBI recommends restricting or blocking device code authentication flows via Conditional Access policies and auditing device code usage to mitigate this threat.
AI Analysis
Technical Summary
Kali365 is a phishing-as-a-service platform that hijacks Microsoft 365 accounts by exploiting the OAuth 2.0 Device Authorization grant flow. Attackers initiate the device authorization process to generate a code, then trick victims into entering it on Microsoft's official device login portal. Once the victim completes MFA, Microsoft issues an OAuth access token that grants attackers full access to the victim's account and associated cloud services without further MFA challenges. Kali365 provides advanced phishing capabilities including AI-generated phishing lures, automated campaign templates, and token capture functionality. It also offers an adversary-in-the-middle mode called "Cookie Link" that captures authenticated browser sessions and tokens. The FBI advises organizations to restrict device code authentication flows and audit existing usage to prevent compromise.
Potential Impact
Successful exploitation allows attackers to bypass MFA and gain full access to Microsoft 365 and other cloud SaaS accounts linked via single sign-on. This access enables data theft, mailbox manipulation through malicious inbox rules, and unauthorized device registrations within victim environments. The threat lowers the skill barrier for attackers by providing phishing-as-a-service capabilities, increasing the risk of widespread account compromises. The FBI notes that Kali365 has been observed targeting organizations globally.
Mitigation Recommendations
The FBI recommends organizations restrict or block OAuth device code authentication flows using Conditional Access policies where feasible. Organizations should audit current device code usage and block authentication transfer policies that allow session movement between devices. Incident reporting to the Internet Crime Complaint Center is advised, along with preserving phishing emails, suspicious login data, and records of unauthorized device registrations. As this is an abuse of a legitimate authentication flow, these controls are critical to reducing exposure. Patch status is not applicable as this is an abuse of a legitimate feature rather than a software vulnerability.
FBI warns of Kali365 phishing service targeting Microsoft 365 accounts
Description
The FBI has issued a warning about Kali365, a phishing-as-a-service platform that targets Microsoft 365 accounts by abusing OAuth device code authentication. This method allows attackers to steal session tokens and bypass multi-factor authentication (MFA) without needing passwords or MFA codes. Kali365 enables even low-skilled attackers to conduct sophisticated phishing campaigns using AI-generated lures, automated templates, and real-time victim tracking. The platform operates as a business with administrators, resellers, and affiliates. The FBI recommends restricting or blocking device code authentication flows via Conditional Access policies and auditing device code usage to mitigate this threat.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Kali365 is a phishing-as-a-service platform that hijacks Microsoft 365 accounts by exploiting the OAuth 2.0 Device Authorization grant flow. Attackers initiate the device authorization process to generate a code, then trick victims into entering it on Microsoft's official device login portal. Once the victim completes MFA, Microsoft issues an OAuth access token that grants attackers full access to the victim's account and associated cloud services without further MFA challenges. Kali365 provides advanced phishing capabilities including AI-generated phishing lures, automated campaign templates, and token capture functionality. It also offers an adversary-in-the-middle mode called "Cookie Link" that captures authenticated browser sessions and tokens. The FBI advises organizations to restrict device code authentication flows and audit existing usage to prevent compromise.
Potential Impact
Successful exploitation allows attackers to bypass MFA and gain full access to Microsoft 365 and other cloud SaaS accounts linked via single sign-on. This access enables data theft, mailbox manipulation through malicious inbox rules, and unauthorized device registrations within victim environments. The threat lowers the skill barrier for attackers by providing phishing-as-a-service capabilities, increasing the risk of widespread account compromises. The FBI notes that Kali365 has been observed targeting organizations globally.
Mitigation Recommendations
The FBI recommends organizations restrict or block OAuth device code authentication flows using Conditional Access policies where feasible. Organizations should audit current device code usage and block authentication transfer policies that allow session movement between devices. Incident reporting to the Internet Crime Complaint Center is advised, along with preserving phishing emails, suspicious login data, and records of unauthorized device registrations. As this is an abuse of a legitimate authentication flow, these controls are critical to reducing exposure. Patch status is not applicable as this is an abuse of a legitimate feature rather than a software vulnerability.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/fbi-warns-of-kali365-phishing-service-targeting-microsoft-365-accounts/","fetched":true,"fetchedAt":"2026-05-26T19:28:01.751Z","wordCount":921}
Threat ID: 6a15f4466b9ae66727ef1415
Added to database: 5/26/2026, 7:28:06 PM
Last enriched: 5/26/2026, 7:29:21 PM
Last updated: 5/26/2026, 9:06:07 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.