Kali365 Activity Surges: Device Code Phishing Is Scaling Fast
Kali365 is a phishing-as-a-service (PhaaS) platform that has recently seen a surge in activity involving device code phishing attacks. These attacks exploit legitimate Microsoft device authentication flows by tricking victims into entering a user code on a real Microsoft authentication page, enabling attackers to capture OAuth access tokens rather than passwords. This method reduces traditional phishing indicators, making detection and triage more difficult. The phishing kit includes templates for Microsoft services such as OneDrive, SharePoint, Teams, Outlook, and Voicemail, as well as Google device-code authentication flows. The activity was observed through over 100 analysis sessions in 24 hours on ANYRUN, indicating rapid scaling. No known exploits in the wild or patches are applicable as this is a phishing campaign rather than a software vulnerability.
AI Analysis
Technical Summary
Kali365 is a phishing-as-a-service platform that leverages device code phishing targeting Microsoft and Google authentication flows. Instead of stealing passwords, it captures OAuth access tokens by directing victims to enter user codes on legitimate Microsoft device authentication pages. The phishing kit includes lure templates for multiple Microsoft services and polls session states to track success. This approach reduces typical phishing detection signals, complicating defense efforts. The surge in activity was documented via analysis sessions on ANYRUN, highlighting rapid scaling of this phishing technique.
Potential Impact
The primary impact is unauthorized access through stolen OAuth access tokens, which can be abused to access victim accounts and services without needing passwords. This token theft bypasses traditional credential theft detection methods, increasing the risk of account compromise and potential data exposure. The phishing campaign targets users of Microsoft and Google services, potentially affecting a broad user base. There are no known software vulnerabilities exploited, and no direct patches apply since this is a social engineering attack.
Mitigation Recommendations
No official patches or fixes apply as this is a phishing campaign exploiting legitimate authentication flows. Defenders should educate users about the risks of entering device codes on unsolicited prompts and implement multi-factor authentication methods that do not rely solely on OAuth tokens. Monitoring for unusual OAuth token usage and employing conditional access policies can help mitigate token abuse. Since traditional phishing indicators are reduced, enhanced user awareness and behavioral detection are critical. Check vendor advisories for any updated guidance on device code phishing mitigation.
Kali365 Activity Surges: Device Code Phishing Is Scaling Fast
Description
Kali365 is a phishing-as-a-service (PhaaS) platform that has recently seen a surge in activity involving device code phishing attacks. These attacks exploit legitimate Microsoft device authentication flows by tricking victims into entering a user code on a real Microsoft authentication page, enabling attackers to capture OAuth access tokens rather than passwords. This method reduces traditional phishing indicators, making detection and triage more difficult. The phishing kit includes templates for Microsoft services such as OneDrive, SharePoint, Teams, Outlook, and Voicemail, as well as Google device-code authentication flows. The activity was observed through over 100 analysis sessions in 24 hours on ANYRUN, indicating rapid scaling. No known exploits in the wild or patches are applicable as this is a phishing campaign rather than a software vulnerability.
Reddit Discussion
There’s an increase in Device Code phishing activity, with Kali365 emerging as one of the most active PhaaS. In the last 24 hours alone, ANYRUN recorded 100+ related analysis sessions.
The attack abuses legitimate Microsoft device authentication flows. Victims are shown a user code and instructed to enter it into a real Microsoft device auth page, allowing attackers to capture OAuth access tokens instead of passwords. The risk shifts from credential theft to token abuse, while significantly reducing the number of traditional phishing indicators typically used for detection and triage.
Deobfuscated Kali365 JavaScript revealed that after a verification gate, the lure deploys a phishing page, launches a legitimate Microsoft device authentication flow, and then polls /api/status/<session\_id> for session states such as captured, expired, and declined.
The code also contains lure-template generators for OneDrive, SharePoint, Teams, Outlook, and Voicemail, and a separate Google device-code authentication flow.
Analysis and IOCs: https://app.any.run/tasks/d078f430-c3cc-44e8-a809-5506205049c3
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Kali365 is a phishing-as-a-service platform that leverages device code phishing targeting Microsoft and Google authentication flows. Instead of stealing passwords, it captures OAuth access tokens by directing victims to enter user codes on legitimate Microsoft device authentication pages. The phishing kit includes lure templates for multiple Microsoft services and polls session states to track success. This approach reduces typical phishing detection signals, complicating defense efforts. The surge in activity was documented via analysis sessions on ANYRUN, highlighting rapid scaling of this phishing technique.
Potential Impact
The primary impact is unauthorized access through stolen OAuth access tokens, which can be abused to access victim accounts and services without needing passwords. This token theft bypasses traditional credential theft detection methods, increasing the risk of account compromise and potential data exposure. The phishing campaign targets users of Microsoft and Google services, potentially affecting a broad user base. There are no known software vulnerabilities exploited, and no direct patches apply since this is a social engineering attack.
Mitigation Recommendations
No official patches or fixes apply as this is a phishing campaign exploiting legitimate authentication flows. Defenders should educate users about the risks of entering device codes on unsolicited prompts and implement multi-factor authentication methods that do not rely solely on OAuth tokens. Monitoring for unusual OAuth token usage and employing conditional access policies can help mitigate token abuse. Since traditional phishing indicators are reduced, enhanced user awareness and behavioral detection are critical. Check vendor advisories for any updated guidance on device code phishing mitigation.
Technical Details
- Source Type
- Subreddit
- Malware
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a173fffe29bf47b50df3554
Added to database: 5/27/2026, 7:03:27 PM
Last enriched: 5/27/2026, 7:03:35 PM
Last updated: 5/27/2026, 9:08:41 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.