GoKawiilThe FBI is warning about the Kali365 phishing-as-a-service platform (PhaaS) that is used to hijack Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass multi-factor authentication (MFA).
According to the FBI PSA, Kali365 first emerged in April 2026 and is distributed via Telegram channels for cybercriminals seeking an easier way to compromise Microsoft 365 accounts without stealing passwords or intercepting MFA codes.
The platform uses device code phishing, an increasingly popular method that abuses Microsoft's legitimate OAuth 2.0 Device Authorization grant flow to gain access to Microsoft Entra and Microsoft 365 accounts.
This authentication method was created to allow devices with limited input capabilities, such as smart TVs, conference room systems, streaming devices, printers, and IoT devices, to authenticate via another device using a short code at Microsoft's device code login portal, http://microsoft.com/devicelogin.
Device code authentication form
Source: BleepingComputer
In February, BleepingComputer reported that extortion gangs, including the ShinyHunters cybercrime group, were targeting Microsoft Entra accounts via device-code and voice phishing.
In these attacks, threat actors initiate the device authorization process themselves to generate a code, then trick targets into entering it on Microsoft's login page via phishing and social engineering.
Once the victim enters the code and completes MFA, Microsoft issues an OAuth access token that grants the threat actor full access to their account without requiring them to solve any MFA challenges.
The threat actors now have full access to all applications the user normally has access to via their single-sign-on account, including Microsoft 365, Salesforce, or any other cloud SaaS platforms, which are then used to steal data.
... continue reading