FBI warns of Kali365 phishing service targeting Microsoft 365 accounts

The FBI has issued a warning about Kali365, a phishing-as-a-service platform that targets Microsoft 365 accounts through OAuth device code exploitation. The threat actors behind Kali365 abuse OAuth's device code authentication flow to steal session tokens and circumvent multi-factor authentication protections.

The attack sequence begins when phishing victims receive credential harvesting links. Attackers use these stolen credentials to initiate OAuth device code flows, which generate codes displayed to users for authentication approval. By manipulating this process, threat actors trick users into authorizing access without realizing they've granted attackers legitimate session tokens. Once obtained, these tokens provide access to Microsoft 365 accounts regardless of MFA settings, since the token itself bypasses the secondary authentication layer.

The Kali365 platform operates as a commercial service, meaning multiple threat actors can lease the infrastructure to conduct phishing campaigns at scale. This commoditization of phishing capabilities lowers the barrier to entry for criminals lacking technical expertise. Organizations using Microsoft 365 face direct exposure since the platform targets no specific industry.

The vulnerability exploited here stems not from a code flaw but from user behavior and the way OAuth device code flows are designed. Users approving authentication requests without understanding the context become unwitting accomplices in account compromise. MFA alone provides insufficient protection when attackers obtain valid session tokens through OAuth delegation.

Organizations should implement additional controls beyond standard MFA. Conditional access policies that flag unusual OAuth device code approvals, restrictions on third-party application consent, and security awareness training targeting OAuth phishing offer better defense. Microsoft 365 administrators should audit connected applications regularly and educate users about suspicious authentication prompts.

The emergence of Kali365 reflects a trend toward accessible, modular attack infrastructure. Phishing-as-a-service platforms remove technical barriers and allow attackers to conduct campaigns without developing tools independently. This