The FBI has warned about a phishing-as-a-service platform called Kali365 that is being used to hijack Microsoft 365 accounts by abusing OAuth device code authentication.
The platform allows attackers to steal session tokens and bypass multi-factor authentication, making it easier to access business accounts without stealing passwords or intercepting MFA codes.
According to the FBI’s public service announcement, Kali365 first appeared in April 2026 and is being shared through Telegram channels used by cybercriminals. The tool is designed for attackers who want a simpler way to compromise Microsoft 365 accounts, including Microsoft Entra accounts, by taking advantage of Microsoft’s legitimate OAuth 2.0 Device Authorization grant flow.
Device code authentication was created for devices that are difficult to type on, such as smart TVs, streaming devices, conference room systems, printers, and IoT devices. It lets users sign in on another device by entering a short code at Microsoft’s device login page. However, attackers are now abusing this trusted process in phishing campaigns.
In these attacks, threat actors start the device authorization process themselves and generate a login code. They then trick the victim into entering that code on Microsoft’s official login page through phishing emails or social engineering. Once the victim enters the code and completes MFA, Microsoft issues an OAuth access token that gives the attacker access to the account without needing to complete MFA themselves.
After gaining access, attackers can use the compromised single sign-on account to reach Microsoft 365, Salesforce, and other cloud applications connected to the same identity system. This access can then be used to steal data, read emails, create malicious inbox rules, and move deeper into the organization’s cloud environment.
The FBI said Kali365 gives even low-skilled cybercriminals access to advanced phishing features. These include AI-generated phishing messages, automated campaign templates, real-time victim tracking dashboards, and tools for capturing tokens. Security researchers at Arctic Wolf also reported Kali365 activity in April after observing a widespread campaign targeting organizations around the world.
Arctic Wolf said the campaigns mainly targeted Microsoft 365 environments. Victims received phishing emails that directed them to Microsoft’s device code login portal, where they unknowingly approved attacker access to their own accounts. In some cases, attackers created malicious mailbox rules to hide their activity. They also registered new devices inside victims’ Microsoft environments, helping them maintain access for longer.
Researchers found that Kali365 appears to operate like a business. It has administrators who manage development, resellers who promote the service, and affiliates who carry out phishing campaigns. The platform also offers two attack modes. One uses device code phishing, while the other, called Cookie Link, works as an adversary-in-the-middle method that captures authenticated browser sessions, cookies, and tokens after victims sign in and complete MFA.
The FBI recommends that organizations restrict or block device code authentication through Conditional Access policies where possible. Companies are also advised to audit existing device code usage and block authentication transfer policies that allow sign-in sessions to move between devices.
The agency urged affected organizations to report incidents to the Internet Crime Complaint Center and preserve phishing emails, suspicious login details, and unauthorized device registration records. Device code phishing has become more common in 2026, with platforms such as EvilTokens and Tycoon2FA also using similar methods to compromise Microsoft 365 and Entra accounts.





