www.it-connect.fr
Kali365: The Microsoft 365 Phishing Kit That Steals Access Without Passwords
The FBI has issued a security alert about Kali365, a new Phishing-as-a-Service (PhaaS) platform first spotted in April 2026. Distributed through Telegram, this phishing kit lets attackers obtain Microsoft 365 access tokens. It has one notable twist: it hijacks the OAuth 2.0 Device Authorization method to access Microsoft accounts without even needing to intercept user credentials.
A phishing kit built on OAuth token theft
As a reminder, the Phishing-as-a-Service (PhaaS) model gives cybercriminals access to ready-made phishing kits in exchange for a paid subscription or a one-time fee. The new kit known as Kali365 belongs to this category. It gives attackers an arsenal of features designed to target Microsoft 365 accounts:
- AI-generated phishing message templates (including multiple languages),
- Automated campaign templates,
- Real-time target tracking dashboards,
- OAuth token capture capabilities.
This scam works by exploiting the device code flow offered by OAuth 2.0. This authentication method is often used to sign in on devices and hardware with limited capabilities (for example, a Smart TV or a conference system).
As the FBI explains in its bulletin, the attack orchestrated through the Kali365 kit unfolds in 4 steps:
- The lure: the attacker sends a phishing email impersonating a trusted document-sharing service. This message contains a device code along with instructions telling the victim to visit a legitimate Microsoft verification page and enter the code there.
- The authorization: the targeted user browses to the real Microsoft page and pastes in the provided code, unknowingly authorizing the attacker’s device to access their own account.
- Token theft: the cybercriminal captures the OAuth access tokens, giving them the required access rights on the victim’s Microsoft 365 account.
- Persistence: the attacker now has direct access to Microsoft 365 services (such as Outlook, Teams, and OneDrive), all without stealing passwords and without being hindered by MFA.
"Once onboarding is complete, Kali365 enables affiliates to rapidly generate customized phishing lures that mimic common enterprise services such as Adobe Acrobat Sign, DocuSign, and SharePoint.", the ArcticWolf researchers said.
This is not the first time a cybercriminal group has abused device codes to compromise Microsoft accounts. The ShinyHunters gang notably used this technique in 2026, but in this case, the threat comes as a ready-to-use PhaaS kit. As a result, the technique is far more accessible even to users without special technical knowledge.
How can you protect yourself and respond to the Kali365 threat?
Since this is a phishing campaign, Kali365 relies on users falling for the trap. But as an administrator, you can also configure your Microsoft 365 tenant to reduce the risk of compromise by Kali365.
In practice, you should limit or even block OAuth 2.0 authentication using the "device code flow." To do so, you can create a Conditional Access policy to block this flow for all users, and then manage exceptions if needed. At the very least, you regain control over this authentication method, which represents a potential entry point.
Finally, it should be noted that Kali365 was documented by ArcticWolf researchers in April 2026. In this report, the campaign is said to target North America and the EMEA region (including Europe). Several industries are targeted, including manufacturing, government agencies, finance and healthcare, as well as education.
