If you think MFA is your safety net, Kali365 just cut it.

In May 2026, the FBI issued Public Service Announcement I-052126-PSA warning organizations about a rapidly emerging Phishing-as-a-Service (PhaaS) platform called Kali365. First observed in April 2026 and distributed openly through Telegram, Kali365 doesn’t steal your password. It doesn’t even need to. It steals something more valuable: your OAuth token, and with it, persistent, credential-free access to your entire Microsoft 365 environment.

This post breaks down how Kali365 works, why it’s particularly dangerous for organizations running M365, and most importantly, what defenders can do right now.

What Is Kali365?

Kali365 is a subscription-based Phishing-as-a-Service platform marketed and distributed through Telegram channels. Tiered subscriptions range from $250 for a 30-day license up to $2,000 for an annual license, a true SaaS business model, built on criminal infrastructure. The key innovation isn’t a novel zero-day or advanced malware. It’s a polished, productized abuse of a legitimate Microsoft authentication mechanism: the OAuth 2.0 Device Authorization Grant flow (commonly called “device code phishing”).

What does that subscription get an attacker?

  • AI-generated, context-aware phishing lure templates
  • Automated phishing campaign deployment with minimal technical skill required
  • Real-time dashboards showing which targets have completed authorization and which tokens are ready for use
  • OAuth access and refresh token capture capabilities
  • A secondary reverse-proxy AitM (Adversary-in-the-Middle) layer using Cloudflare Workers to replicate corporate SSO portals

The FBI’s own language is instructive: Kali365 “lowers the barrier of entry” for attackers. This isn’t a sophisticated APT tool reserved for nation-state actors, it’s a productized kit available to anyone with a Telegram account and a couple hundred dollars. Research from Paubox Security documented a 30-fold increase in device code phishing variants across the threat landscape in 2026, as platforms like Kali365, EvilTokens, and Tycoon2FA flooded underground markets simultaneously.

The Attack Chain: How Kali365 Actually Works

Understanding the attack requires understanding a legitimate Microsoft feature first.

Device code flow (OAuth 2.0 Device Authorization Grant) is an authentication mechanism designed for devices that can’t easily display a browser, think smart TVs, printers, or conference room displays. A user is given a short alphanumeric code and directed to microsoft.com/devicelogin to complete authentication on a separate device. The originating device then polls for the resulting token. Totally legitimate. Totally abusable.

Here is the full five-phase attack lifecycle:

Phase 1: AI-Generated Lure

The attacker uses Kali365’s built-in AI backend to generate a convincing, localized phishing email. These typically masquerade as urgent business communications, a mandatory document review from Adobe Acrobat Sign, a DocuSign signature request, or an internal SharePoint notification. The lure contains a short alphanumeric device code and instructions to visit microsoft.com/devicelogin to “access the document.”

Phase 2: The Device Code Hook

Unlike traditional phishing, there is no malicious link and no spoofed login page. The victim is directed to a completely authentic Microsoft URL. Email gateways don’t flag it. URL filters evaluate it as safe. Browser safe-browsing tools pass it. The attack surface is entirely social, not technical.

Phase 3: Legitimate Microsoft Authentication

The victim lands on the genuine Microsoft device login portal — complete with their organization’s SSO branding and standard MFA challenges. From the user’s perspective, everything looks exactly as it should. They enter the code, complete MFA, and assume they’ve done something routine.

Phase 4: Token Capture

That device code was generated by the attacker’s session. By entering it, the victim has just authorized the attacker’s application to access their account. Kali365’s infrastructure automatically captures the resulting OAuth 2.0 access tokens and refresh tokens. Because these tokens prove a successful authentication event has already occurred, the attacker inherits a fully authenticated session.

Phase 5: Post-Compromise Exploitation

With valid tokens in hand, the attacker has immediate, MFA-bypass access to Outlook, Teams, OneDrive, and SharePoint — without ever knowing the user’s password or triggering an additional MFA prompt.

Because no credentials are ever intercepted, traditional password-based detections don’t fire. Because MFA was technically “completed” via Microsoft’s own infrastructure, MFA bypass alerts may not trigger either. Dwell time climbs.

Post-Compromise Capabilities

Kali365 doesn’t just hand attackers a token and leave them to figure out the rest. The platform includes an operational dashboard to manage and monetize compromised accounts:

Business Email Compromise (BEC): Attackers send targeted phishing emails or wire-fraud requests directly from the legitimate user’s mailbox. Because these originate from real corporate infrastructure, they pass SPF, DKIM, and DMARC checks cleanly — the hardest category of phishing to detect or block downstream.

Automated Alert Suppression: The platform automatically creates inbox rules to delete or archive incoming emails containing words like “security,” “compromise,” or “password reset.” The victim’s own inbox is weaponized to hide the breach.

Rogue Device Enrollment: Attackers leverage the active session to register unauthorized secondary devices or generate additional authentication methods inside the user’s Entra ID profile — ensuring continued access even after the primary session token expires.

Persistent Refresh Token Access: Refresh tokens remain valid for extended periods. Changing the account password does not always immediately invalidate an active stolen token. Without explicit token revocation, an attacker can maintain access long after a user suspects something is wrong.

Why This Is a Bigger Deal Than It Looks

Several compounding factors make Kali365 worth taking seriously beyond the initial FBI advisory:

MFA is not a complete defense here. This is the uncomfortable truth. MFA protects against credential theft. Kali365 doesn’t steal credentials — it abuses an authentication flow that inherently invites the user to complete an MFA-equivalent step on Microsoft’s own infrastructure. If your security awareness training says “MFA protects you,” it’s now incomplete.

The subscription model scales attack volume. At $250/month, this is accessible to a very wide population of threat actors. Campaigns will run at volume. Organizations won’t be individually targeted — they’ll be caught in broad automated sweeps.

The AitM layer adds a second attack surface. Beyond device code phishing, Todyl Security Research documented that Kali365 also incorporates a reverse-proxy AitM system using Cloudflare Workers to replicate corporate SSO portals. This means even organizations that have blocked device code flow aren’t necessarily immune to all Kali365 campaign variants.

Detection is genuinely harder. No spoofed domain. No credential harvest event. Authentication completed on legitimate Microsoft infrastructure. Security tooling built around credential theft needs to be supplemented with token-centric and behavioral detections.

Government and state-level entities are already being targeted. The New Jersey Cybersecurity and Communications Cell (NJCCIC) published telemetry showing localized spikes in Kali365 campaigns targeting state and local government employees using spoofed Adobe and DocuSign notifications. Nonprofits and public-sector organizations — resource-constrained and often running standard M365 configurations — are a natural target population.

Defensive Measures: What You Can Actually Do

The FBI and CISA’s guidance is the right starting point. Here’s what it looks like in practice:

1. Block Device Code Flow via Conditional Access — Do This First

This is the single most effective mitigation. In Microsoft Entra ID:

  • Navigate to Entra ID > Security > Conditional Access
  • Create a new policy targeting All Users
  • Under Conditions > Authentication flows, select Device code flow
  • Set Grant to Block
  • Carve out exceptions only for verified, input-limited hardware (conference room displays, printers, kiosk terminals) — scoped to specific device compliance or named location policies

Critical pre-step: Audit existing device code flow usage before enforcing. In Entra ID, filter Sign-in logs by Authentication Protocol: deviceCode to identify legitimate dependencies. A blind block can break workflows. Know your exceptions before you create them.

2. Block Authentication Transfer Policies

Prevent cross-device authentication transfers, e.g., a user approving a desktop session from an unrelated mobile device flow. Configure this in Conditional Access under session controls.

3. Migrate to Phishing-Resistant MFA

SMS-based MFA, voice calls, and standard push approvals remain vulnerable to various social engineering and session phishing techniques. Prioritize migration to:

  • FIDO2 security keys (YubiKey, etc.)
  • Microsoft Authenticator with number matching and additional context enabled
  • Certificate-based authentication for high-privilege accounts

Target admins, finance teams, executives, and anyone with access to sensitive data or payment workflows first.

4. Shorten Token Lifetimes

Reducing the default validity window for session and refresh tokens in Entra ID minimizes the attacker’s usable window if a token is captured. Configure token lifetime policies via Microsoft Entra ID’s Token Lifetime Policy settings.

5. Monitor SIEM for Device Code Flow Anomalies

Build detection rules to flag:

SignInLogs
| where AuthenticationProtocol == "deviceCode"
| where ResultType == 0  // Successful sign-in
| where IPAddress !in (known_trusted_ranges)

Alert on device code grants from unexpected IP ranges, unusual geolocation, or followed immediately by access to sensitive resources. This query pattern applies to both Microsoft Sentinel and can be adapted for Splunk or Wazuh.

6. Establish a Token Compromise Incident Playbook

Ensure your IR playbook explicitly covers token theft, not just credential compromise. At minimum, a token compromise response must include:

  1. Revoke all active refresh tokens for the affected user immediately
  2. Terminate all global user sessions via Entra ID
  3. Audit for rogue device enrollments and new authentication methods added to the account
  4. Review inbox rules for automated deletion or forwarding rules created by the attacker
  5. Check mail flow for outbound BEC attempts sent during the compromise window
# Revoke all refresh tokens for a user
Revoke-MgUserSignInSession -UserId "[email protected]"

# Force re-authentication on next sign-in
Update-MgUser -UserId "[email protected]" -PasswordPolicies "DisablePasswordExpiration"

7. Implement Continuous Access Evaluation (CAE)

CAE allows Microsoft services to terminate sessions in near-real-time when risk signals are detected, IP change, policy change, account compromise signal. It won’t prevent initial token capture, but it significantly limits how long a stolen token remains operationally useful.

Reporting

If your organization has been impacted by a Kali365 campaign, report to the FBI Internet Crime Complaint Center at ic3.gov. Include:

  • Phishing emails (full headers and body)
  • Suspicious sign-in events (timestamp, IP address, location)
  • Unauthorized devices or active sessions added to the account

The Bigger Picture

Kali365 is a symptom of a broader and accelerating shift: attackers are moving up the stack from endpoint to identity. The sophistication isn’t in novel malware, it’s in the productization of identity abuse at scale. A platform that would have required significant technical skill to build and operate in 2023 is now a $250/month subscription available on Telegram.

For defenders, the lesson isn’t that MFA is useless. It’s that MFA was designed to protect credentials, and Kali365 doesn’t touch credentials. The attack surface has moved. Token security, Conditional Access policy hardening, phishing-resistant authentication, and behavioral detection are the actual defense surface now.

Your Conditional Access policies are your perimeter. Treat them accordingly.

References