Kali365 PhaaS (phishing-as-a-service) Bypasses MFA to Hijack Microsoft 365 Accounts

by

Kali365 PhaaS Platform Hijacks Microsoft 365 Accounts Without Stealing a Single Password

A criminal subscription service called Kali365 is actively compromising Microsoft 365 accounts across North America and Europe, and it does so without ever needing a victim’s password or triggering a standard multi-factor authentication (MFA) prompt. The FBI issued a formal public service announcement on May 21, 2026 (referenced as PSA260521), warning organizations that Kali365 represents a fast-growing and technically accessible threat that is already hitting Canadian and American organizations across government, healthcare, financial services, manufacturing, and education.

Every confirmed victim in documented campaigns was using MFA. That fact alone signals how fundamentally this platform challenges assumptions about what MFA protects against.

What Kali365 Is and How It Is Sold

Kali365 is a Phishing-as-a-Service (PhaaS) platform first observed in April 2026 and marketed primarily through Telegram channels. For as little as USD $250 per month or approximately $2,000 annually, anyone with a Telegram account and a target in mind can subscribe to a fully operational phishing infrastructure requiring minimal technical skill to operate.

The platform bundles everything a low-skill attacker needs: AI-generated phishing lure templates, automated campaign tools, real-time dashboards for tracking targeted individuals, and built-in OAuth token capture capabilities. This is not a crude credential harvester. It is a polished, subscription-based criminal product designed specifically to defeat modern authentication defenses at scale.

Security researchers at Arctic Wolf documented a large-scale Kali365-driven campaign on April 24, 2026. By the end of that month, hundreds of organizations across North America and Europe had been compromised. Microsoft has since reported that device code phishing as a category, is generating hundreds of successful account takeovers daily across affected environments.

How the Attack Works: OAuth Device Code Phishing Explained

The attack exploits a legitimate Microsoft authentication feature called the OAuth 2.0 Device Authorization Grant, commonly referred to as device code flow. This feature was designed to allow low-input devices such as smart TVs, conference room hardware, printers, and IoT sensors to authenticate through a secondary device by entering a short numeric code at microsoft.com/devicelogin.

Kali365 weaponizes this flow in three steps:

Step 1: The Lure

The target receives a phishing email impersonating a trusted and familiar cloud service. Observed subject lines include references to SharePoint file shares, OneDrive document notifications, Microsoft 365 voicemails, DocuSign signature requests, and Adobe Acrobat Sign agreements. These are the exact types of messages most employees open without hesitation.

Step 2: The Code Entry

The email instructs the target to visit a legitimate Microsoft verification page and enter a short code. The page is real. The Microsoft domain is real. The SSL certificate is valid. Password managers find nothing to flag. The user enters the code, believing they are completing a routine authentication step.

Step 3: The Token Capture

By entering the code, the victim has unknowingly authorized the attacker’s device to access their Microsoft 365 account. Microsoft issues the attacker a set of OAuth access and refresh tokens, confirming the user’s session. The attacker now has persistent, authenticated access to the victim’s Outlook inbox, Teams workspace, and OneDrive storage with no password required and no additional MFA challenge to clear.

Refresh tokens can remain valid for extended periods, meaning a single successful lure can give an attacker months of silent access to an organization’s communications and data.

A Growing Market, Not a Single Tool

Kali365 did not appear in isolation. Security researchers tracking device code phishing note that state-aligned threat actors, including groups linked to Russia, began adopting this technique as early as September 2025. Financially motivated criminal actors followed by October 2025, and by February 2026, the method had been fully commoditized through platforms like EvilTokens. Security firm Huntress tracked over 340 compromised organizations across five countries from a single EvilTokens-linked campaign.

Kali365 arrived in April 2026 as a more polished product in the same category, and the FBI’s advisory specifically notes its frequent mention alongside EvilTokens and Tycoon2FA as part of a broader, expanding market of OAuth token theft tools. The common thread across all of these platforms is that they turn Microsoft’s own legitimate authentication infrastructure against Microsoft 365 users.

Canadian Impact: Why This Hits Home

Microsoft 365 is the dominant productivity platform across Canadian enterprises, government departments, healthcare networks, and small businesses. The sectors confirmed to be targeted by Kali365 campaigns, including healthcare, financial services, government, and education, are precisely the sectors that anchor Canada’s most sensitive data environments.

David Shipley, CEO of Canadian security awareness firm Beauceron Security, noted in commentary on the Kali365 advisory that the platform signals a structural shift toward professionalized credential-free attacks that outpace conventional security awareness training. If employees are doing everything right, visiting a real Microsoft page and entering a code they received from what looks like a legitimate email, there is no user error to correct. The attack relies on exploiting a legitimate system feature, not a human mistake.

Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), any compromise of a Microsoft 365 environment that results in unauthorized access to personal information of customers, employees, or partners triggers mandatory breach notification obligations. A single successful Kali365 attack on an organization holding health records, financial client data, or government identity information could initiate significant regulatory exposure.

The Canadian Centre for Cyber Security (CCCS) has consistently identified token-based authentication attacks and cloud account takeovers as high-priority threats for Canadian organizations. Kali365 represents precisely the type of commoditized, scalable threat the CCCS has warned is lowering the barrier for attacks against cloud-dependent Canadian infrastructure.

What the FBI Recommends

The FBI’s IC3 advisory PSA260521 outlines a specific set of defensive steps organizations should implement immediately:

  • Restrict or fully block device code authentication flows using Conditional Access policies in Microsoft Entra ID, with narrow exceptions only for documented business processes that legitimately require the feature
  • Audit all existing device code usage within the environment to identify accounts that have previously authenticated via this flow
  • Block authentication transfer policies that permit authentication sessions to move between devices, such as desktops and mobile phones
  • Preserve and report any suspicious phishing emails, unusual login events, or unauthorized device registrations to the FBI’s Internet Crime Complaint Center at ic3.gov
  • Maintain at least one emergency access account that will not be locked out if conditional access policies are broadly applied

Organizations using Microsoft Defender XDR should also enable and monitor for the built-in alert types “Suspicious Azure authentication through possible device code phishing” and “User account compromise via OAuth device code phishing,” both of which are designed to surface anomalous token authentication events.

Key Takeaways

  • Kali365 is a PhaaS platform sold on Telegram for as little as $250/month that bypasses Microsoft 365 MFA entirely by stealing OAuth tokens through device code phishing; no password theft required.
  • The FBI issued a formal advisory PSA260521 on May 21, 2026, confirming active campaigns across manufacturing, education, government, healthcare, insurance, and financial services in North America and Europe.
  • The attack exploits Microsoft’s legitimate OAuth 2.0 Device Authorization Grant flow, meaning victims interact only with real Microsoft domains, making traditional phishing detection ineffective.
  • Kali365 is part of a broader and growing PhaaS ecosystem that includes EvilTokens and Tycoon2FA, all targeting Microsoft 365 OAuth tokens at scale.
  • All confirmed victims in documented Kali365 campaigns were already using MFA, confirming that MFA alone is no longer a sufficient defense against this class of attack.
  • Canadian organizations in regulated sectors face PIPEDA notification obligations if a Kali365 compromise results in unauthorized access to personal information.
  • The primary technical mitigation is restricting or blocking device code authentication flow through Microsoft Entra Conditional Access policies.

What You Should Do Now

  1. Audit device code flow usage in your Microsoft Entra environment immediately. Pull a sign-in log filtered to device code authentication and identify which accounts and services are actively using this flow. Most organizations will find very few legitimate use cases.
  2. Create a Conditional Access policy to block device code flow for all users by default. Allow exceptions only for verified and documented business processes, such as specific IoT devices or conference room hardware. This single step eliminates the primary attack vector Kali365 exploits.
  3. Block authentication transfer policies in Microsoft Entra. Prevent tokens from being moved between devices to limit the attacker’s ability to pivot from a compromised session to other endpoints.
  4. Brief your employees and update security awareness training now. Standard phishing training that tells people to look for suspicious URLs will not catch this attack. Employees need to understand that entering a code on microsoft.com/devicelogin in response to an unexpected email can authorize an attacker’s device, even when the Microsoft page itself is completely legitimate.
  5. Enable and monitor Defender XDR alerts for OAuth device code phishing. Ensure the alerts “Suspicious Azure authentication through possible device code phishing” and “User account compromise via OAuth device code phishing” are active and routed to your SOC or IT security team.
  6. Review and revoke any suspicious OAuth token grants in your environment. Check Microsoft Entra ID for recently registered devices or token grants that cannot be attributed to known users or documented business processes and revoke them immediately.
  7. Report any confirmed or suspected Kali365 activity to the Canadian Centre for Cyber Security (CCCS) at cyber.gc.ca and preserve all phishing emails, sign-in logs, and suspicious device registration records for forensic investigation.

Leave a Comment