InfoSecBulletin Cybersecurity for mankind
The FBI warns about the Kali365 phishing platform (PhaaS). It is used to take over Microsoft 365 accounts by misusing OAuth device code authentication to steal session tokens and get around multi-factor authentication (MFA).
Kali365 appeared in April 2026, as per the FBI PSA. It is shared through Telegram channels aimed at cybercriminals looking for a simpler method to access Microsoft 365 accounts without taking passwords or capturing MFA codes.
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Critical Cisco ISE Vulnerability Enables Remote Code Execution
F5 Patches NGINX Flaw for Code Execution and DoS Attacks
FortiBleed: 70,000 Fortinet Firewalls Compromised Globally
The platform uses device code phishing. This is a method that misuses Microsoft’s real OAuth 2.0 Device Authorization process to get into Microsoft Entra and Microsoft 365 accounts.
This login method lets devices that can’t type much, like smart TVs, conference systems, streaming boxes, printers, and IoT devices, log in using a short code from another device at Microsoft’s login page, http://microsoft.com/devicelogin.
In these attacks, bad actors start the device authorization process to make a code and then fool targets into putting it on Microsoft’s login page using phishing and trickery.
Once the victim inputs the code and finishes MFA, Microsoft gives an OAuth access token. This token allows the threat actor full access to the account without needing to solve any MFA challenges.
The bad actors now can access all the apps the user usually can through their single-sign-on account. This includes Microsoft 365, Salesforce, and other cloud services, which they use to steal data.
The FBI says that Kali365 lets even inexperienced hackers use powerful phishing tools. These include fake messages created by AI, ready-made campaign plans, dashboards to track victims in real time, and ways to capture tokens.
Security experts at Arctic Wolf talked about Kali365 actions in April. They noticed a large campaign that was hitting groups all over the world.
The researchers said that the campaigns mainly focused on Microsoft 365 using phishing emails. These emails led victims to a Microsoft login page, where they unknowingly let attackers into their accounts.
The researchers said the resulting attacks gave the hackers access to their mailboxes, where they created malicious inbox rules designed to hide their activity.
Tips to Protect:
Restricting device code flow to limit or block device authentication codes can help prevent or limit this style of attack.
Create a conditional access policy to block device code flow for all users, with limited exceptions for required business processes.
Audit existing device code flow usage to identify legitimate dependencies before creating a conditional access policy.
Block authentication transfer policies to prevent users from transferring authentication from computers to mobile devices.
