Token Bingo: Don't Let Your Code be the Winner
In early April 2026, a large-scale device code phishing campaign targeted organizations across multiple sectors and regions, exploiting OAuth 2.0 Device Authorization Grant. Threat actors leveraged the Kali365 phishing-as-a-service platform, originating primarily from IP address 216.203.20[.]95. The campaign used high-fidelity lures directing victims to Microsoft's legitimate device login flow, where users unknowingly authorized threat actor-controlled sessions. Captured OAuth tokens enabled immediate mailbox access and post-compromise activities. In some cases, attackers established malicious inbox rules to suppress security notifications, extending dwell time. The Kali365 platform operates as a multi-tenant PhaaS ecosystem supporting both device code abuse and adversary-in-the-middle session capture, featuring rapid lure generation across multiple languages and file types, Cloudflare Worker-hosted pages, and token sharing capabilities between affiliates.
AI Analysis
Technical Summary
This threat involves abuse of the OAuth 2.0 Device Authorization Grant via a phishing campaign leveraging the Kali365 phishing-as-a-service platform. Attackers direct victims to Microsoft's legitimate device login interface, where users unknowingly authorize sessions controlled by the adversaries. The stolen OAuth tokens provide immediate mailbox access and enable attackers to perform post-compromise actions, including setting malicious inbox rules to hide security notifications. Kali365 supports multi-language lure generation, Cloudflare Worker-hosted phishing pages, and token sharing across affiliates, enhancing the scale and effectiveness of the campaign. The primary originating IP address identified is 216.203.20.95. This campaign targets multiple sectors and regions without specific geographic focus.
Potential Impact
Successful exploitation results in immediate unauthorized access to victims' mailboxes via stolen OAuth tokens. Attackers can conduct post-compromise activities such as establishing malicious inbox rules that suppress security notifications, increasing dwell time and reducing the likelihood of detection. The campaign leverages legitimate Microsoft login flows, increasing the difficulty of detection and user suspicion. No known exploits in the wild beyond this campaign are reported, and no direct vulnerability in Microsoft services is indicated.
Mitigation Recommendations
No official patch or fix is applicable as this is a phishing campaign exploiting user interaction with legitimate OAuth flows. Organizations should educate users about the risks of device code phishing and the importance of verifying authorization prompts. Monitoring for unusual mailbox rules and suspicious OAuth token usage is recommended. Since this is not a software vulnerability, patch status is not applicable. Refer to vendor advisories and security guidance from Microsoft and security providers for updated detection and prevention strategies.
Indicators of Compromise
- hash: 09bb7e568e573497e22bfa3f36d71fe9d104899826608affedb25d988f391c85
- hash: 2fa6fc2199d3be55e240500d87e4484f39b9315bf336be25434f6716b8d28ec8
- hash: 883d5d4a73b0ac8cf4f78fe46d8f4e76e21508872836f2b439af2de4a205128e
- ip: 199.91.220.111
- ip: 216.203.20.95
- domain: duemineral.uk
- domain: kali365.xyz
- domain: api.kali365.xyz
- domain: v2.kali365.xyz
Token Bingo: Don't Let Your Code be the Winner
Description
In early April 2026, a large-scale device code phishing campaign targeted organizations across multiple sectors and regions, exploiting OAuth 2.0 Device Authorization Grant. Threat actors leveraged the Kali365 phishing-as-a-service platform, originating primarily from IP address 216.203.20[.]95. The campaign used high-fidelity lures directing victims to Microsoft's legitimate device login flow, where users unknowingly authorized threat actor-controlled sessions. Captured OAuth tokens enabled immediate mailbox access and post-compromise activities. In some cases, attackers established malicious inbox rules to suppress security notifications, extending dwell time. The Kali365 platform operates as a multi-tenant PhaaS ecosystem supporting both device code abuse and adversary-in-the-middle session capture, featuring rapid lure generation across multiple languages and file types, Cloudflare Worker-hosted pages, and token sharing capabilities between affiliates.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves abuse of the OAuth 2.0 Device Authorization Grant via a phishing campaign leveraging the Kali365 phishing-as-a-service platform. Attackers direct victims to Microsoft's legitimate device login interface, where users unknowingly authorize sessions controlled by the adversaries. The stolen OAuth tokens provide immediate mailbox access and enable attackers to perform post-compromise actions, including setting malicious inbox rules to hide security notifications. Kali365 supports multi-language lure generation, Cloudflare Worker-hosted phishing pages, and token sharing across affiliates, enhancing the scale and effectiveness of the campaign. The primary originating IP address identified is 216.203.20.95. This campaign targets multiple sectors and regions without specific geographic focus.
Potential Impact
Successful exploitation results in immediate unauthorized access to victims' mailboxes via stolen OAuth tokens. Attackers can conduct post-compromise activities such as establishing malicious inbox rules that suppress security notifications, increasing dwell time and reducing the likelihood of detection. The campaign leverages legitimate Microsoft login flows, increasing the difficulty of detection and user suspicion. No known exploits in the wild beyond this campaign are reported, and no direct vulnerability in Microsoft services is indicated.
Mitigation Recommendations
No official patch or fix is applicable as this is a phishing campaign exploiting user interaction with legitimate OAuth flows. Organizations should educate users about the risks of device code phishing and the importance of verifying authorization prompts. Monitoring for unusual mailbox rules and suspicious OAuth token usage is recommended. Since this is not a software vulnerability, patch status is not applicable. Refer to vendor advisories and security guidance from Microsoft and security providers for updated detection and prevention strategies.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/"]
- Adversary
- null
- Pulse Id
- 69ecc3226a3aeb6f5b7202e3
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash09bb7e568e573497e22bfa3f36d71fe9d104899826608affedb25d988f391c85 | — | |
hash2fa6fc2199d3be55e240500d87e4484f39b9315bf336be25434f6716b8d28ec8 | — | |
hash883d5d4a73b0ac8cf4f78fe46d8f4e76e21508872836f2b439af2de4a205128e | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip199.91.220.111 | — | |
ip216.203.20.95 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainduemineral.uk | — | |
domainkali365.xyz | — | |
domainapi.kali365.xyz | — | |
domainv2.kali365.xyz | — |
Threat ID: 69ef1e8dba26a39fba0bf968
Added to database: 4/27/2026, 8:30:05 AM
Last enriched: 4/27/2026, 8:45:04 AM
Last updated: 4/28/2026, 1:44:54 AM
Views: 85
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.