[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9l8sB5OK8ABW-sKeNjopVbxtOdtolFU1owVvq63QJN0":3},{"article":4,"iocs":56},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":35,"category":36,"article_tags":40},"95a5faa7-791a-45bb-92d8-bc18965b15ef","FBI warns of Kali365 phishing service targeting Microsoft 365 accounts","fbi-warns-of-kali365-phishing-service-targeting-microsoft-365-accounts-0fd6ad","The FBI is warning about the Kali365 phishing-as-a-service platform (PhaaS) that is used to hijack Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass multi-factor authentication (MFA). [...]","The FBI has issued a warning about Kali365, a phishing-as-a-service platform that emerged in April 2026 and exploits Microsoft's OAuth 2.0 Device Authorization flow to hijack Microsoft 365 accounts and bypass MFA. The service provides low-skilled attackers with AI-generated phishing lures, automated templates, real-time dashboards, and token-capture functionality, enabling them to steal session tokens and gain full account access. Kali365 operates as a structured business with admins, resellers, and affiliates, and also offers an adversary-in-the-middle mode called 'Cookie Link' that proxies victim sessions to capture authenticated credentials.","FBI warns of Kali365 phishing-as-a-service targeting Microsoft 365 via OAuth device code abuse.","FBI warns of Kali365 phishing service targeting Microsoft 365 accounts By Lawrence Abrams May 25, 2026 08:45 AM 0 The FBI is warning about the Kali365 phishing-as-a-service platform (PhaaS) that is used to hijack Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass multi-factor authentication (MFA). According to the FBI PSA, Kali365 first emerged in April 2026 and is distributed via Telegram channels for cybercriminals seeking an easier way to compromise Microsoft 365 accounts without stealing passwords or intercepting MFA codes. The platform uses device code phishing, an increasingly popular method that abuses Microsoft's legitimate OAuth 2.0 Device Authorization grant flow to gain access to Microsoft Entra and Microsoft 365 accounts. This authentication method was created to allow devices with limited input capabilities, such as smart TVs, conference room systems, streaming devices, printers, and IoT devices, to authenticate via another device using a short code at Microsoft's device code login portal, http:\u002F\u002Fmicrosoft.com\u002Fdevicelogin. Device code authentication formSource: BleepingComputer In February, BleepingComputer reported that extortion gangs, including the ShinyHunters cybercrime group, were targeting Microsoft Entra accounts via device-code and voice phishing. In these attacks, threat actors initiate the device authorization process themselves to generate a code, then trick targets into entering it on Microsoft's login page via phishing and social engineering. Once the victim enters the code and completes MFA, Microsoft issues an OAuth access token that grants the threat actor full access to their account without requiring them to solve any MFA challenges. The threat actors now have full access to all applications the user normally has access to via their single-sign-on account, including Microsoft 365, Salesforce, or any other cloud SaaS platforms, which are then used to steal data. The FBI warns that Kali365 gives even low-skilled attackers access to advanced phishing capabilities, including AI-generated phishing lures, automated campaign templates, real-time victim-tracking dashboards, and token-capture functionality. Security researchers at Arctic Wolf reported on Kali365 activity in April after observing a widespread campaign targeting organizations worldwide. The researchers said that the campaigns primarily targeted Microsoft 365 environments using phishing emails that directed victims to Microsoft's device code login portal, where they unknowingly authorized attackers to access their accounts. The researchers said the resulting attacks gave the hackers access to their mailboxes, where they created malicious inbox rules designed to hide their activity. In some of the attacks, attackers also registered new devices in victims' Microsoft environments, further extending their access to the breached network. Arctic Wolf found that Kali365 operates as a business, with admins who manage product development, resellers who promote the service to other threat actors, and affiliates who conduct phishing attacks. The researchers say the platform offers two separate attack modes, with the first being device code phishing and the second being an adversary-in-the-middle (AitM) mode named \"Cookie Link.\" Cookie Link proxies victims through attacker-controlled infrastructure that captures authenticated browser sessions, session cookies, and tokens after targets log in and solves MFA challenges. The FBI recommends companies restrict or completely block device code authentication flows using Conditional Access policies where possible, audit existing device code usage, and block authentication transfer policies that allow authentication sessions to move between devices. The agency also urged impacted organizations to report incidents to the Internet Crime Complaint Center and preserve phishing emails, suspicious login information, and unauthorized device registrations. Device code phishing has seen widespread adoption in 2026, with other threat actors and platforms now using it as part of their phishing campaigns and attacks. This adoption includes the EvilTokens PhaaS and Tycoon2FA, which are also using it to compromise Microsoft 365 and Entra accounts. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: FBI takedown of W3LL phishing service leads to developer arrestWhen attackers already have the keys, MFA is just another door to openWebinar tomorrow: Why security alone won't stop modern attacksFBI links cybercriminals to sharp surge in cargo theft attacksWebinar: From phishing to fallout — Why MSPs must rethink both security and recovery","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Ffbi-warns-of-kali365-phishing-service-targeting-microsoft-365-accounts\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F15\u002FMS365.jpg","2026-05-25T12:45:54+00:00","2026-05-25T14:00:11.789819+00:00",9,[18,21,24,27,29,32],{"name":19,"type":20},"ShinyHunters","threat_actor",{"name":22,"type":23},"Microsoft","vendor",{"name":25,"type":26},"Microsoft 365","product",{"name":28,"type":26},"Microsoft Entra",{"name":30,"type":31},"OAuth 2.0 Device Authorization grant flow","technology",{"name":33,"type":34},"Kali365","campaign","2c8f44d4-b56e-47cf-9677-04f22c9ee78d",{"id":35,"icon":37,"name":38,"slug":39},null,"Identity & Access","identity-access",[41,46,51],{"category":42},{"id":43,"icon":37,"name":44,"slug":45},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":47},{"id":48,"icon":37,"name":49,"slug":50},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",{"category":52},{"id":53,"icon":37,"name":54,"slug":55},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[57,61],{"type":58,"value":59,"context":60},"url","http:\u002F\u002Fmicrosoft.com\u002Fdevicelogin","Legitimate Microsoft device code login portal abused by Kali365 phishing campaigns",{"type":45,"value":33,"context":62},"Phishing-as-a-service platform targeting Microsoft 365 accounts via OAuth device code authentication abuse"]