The FBI is warning about the Kali365 phishing-as-a-service platform (PhaaS) that is used to hijack Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass multi-factor authentication (MFA).
According to the FBI PSA, Kali365 first emerged in April 2026 and is distributed via Telegram channels for cybercriminals seeking an easier way to compromise Microsoft 365 accounts without stealing passwords or intercepting MFA codes.
The platform uses device code phishing, an increasingly popular method that abuses Microsoft’s legitimate OAuth 2.0 Device Authorization grant flow to gain access to Microsoft Entra and Microsoft 365 accounts.
This authentication method was created to allow devices with limited input capabilities, such as smart TVs, conference room systems, streaming devices, printers, and IoT devices, to authenticate via another device using a short code at Microsoft’s device code login portal, http://microsoft.com/devicelogin.
Source: BleepingComputer
In February, BleepingComputer reported that extortion gangs, including the ShinyHunters cybercrime group, were targeting Microsoft Entra accounts via device-code and voice phishing.
In these attacks, threat actors initiate the device authorization process themselves to generate a code, then trick targets into entering it on Microsoft’s login page via phishing and social engineering.
Once the victim enters the code and completes MFA, Microsoft issues an OAuth access token that grants the threat actor full access to their account without requiring them to solve any MFA challenges.
The threat actors now have full access to all applications the user normally has access to via their single-sign-on account, including Microsoft 365, Salesforce, or any other cloud SaaS platforms, which are then used to steal data.
The FBI warns that Kali365 gives even low-skilled attackers access to advanced phishing capabilities, including AI-generated phishing lures, automated campaign templates, real-time victim-tracking dashboards, and token-capture functionality.
Security researchers at Arctic Wolf reported on Kali365 activity in April after observing a widespread campaign targeting organizations worldwide.
The researchers said that the campaigns primarily targeted Microsoft 365 environments using phishing emails that directed victims to Microsoft’s device code login portal, where they unknowingly authorized attackers to access their accounts.
The researchers said the resulting attacks gave the hackers access to their mailboxes, where they created malicious inbox rules designed to hide their activity.
In some of the attacks, attackers also registered new devices in victims’ Microsoft environments, further extending their access to the breached network.
Arctic Wolf found that Kali365 operates as a business, with admins who manage product development, resellers who promote the service to other threat actors, and affiliates who conduct phishing attacks.
The researchers say the platform offers two separate attack modes, with the first being device code phishing and the second being an adversary-in-the-middle (AitM) mode named “Cookie Link.”
Cookie Link proxies victims through attacker-controlled infrastructure that captures authenticated browser sessions, session cookies, and tokens after targets log in and solves MFA challenges.
The FBI recommends companies restrict or completely block device code authentication flows using Conditional Access policies where possible, audit existing device code usage, and block authentication transfer policies that allow authentication sessions to move between devices.
The agency also urged impacted organizations to report incidents to the Internet Crime Complaint Center and preserve phishing emails, suspicious login information, and unauthorized device registrations.
Device code phishing has seen widespread adoption in 2026, with other threat actors and platforms now using it as part of their phishing campaigns and attacks.
This adoption includes the EvilTokens PhaaS and Tycoon2FA, which are also using it to compromise Microsoft 365 and Entra accounts.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
