FBI warns Kali365 phishing kit is stealing Microsoft OAuth tokens at scale

FBI warns of Kali365 as device code phishing soars

Jump to main content

REG AD

Cyber-Crime

FBI warns Kali365 phishing kit is stealing Microsoft OAuth tokens at scale MFA? No problem, says crimeware that tricks users into handing attackers the keys to M365

Connor Jones Connor Jones

Cybersecurity reporter

Published fri 22 May 2026 // 13:27 UTC

The FBI has issued a public service announcement warning about a new phishing kit that's stealing Microsoft OAuth tokens at an alarming rate. OAuth token theft is a serious headache for organizations because stolen tokens can bypass multi-factor authentication (MFA) and grant access to privileged accounts within an organization without needing to know their credentials. Think corporate espionage, data theft, maybe even ransomware.

REG AD

The main culprit is Kali365, described as a phishing-as-a-service platform that's being peddled on Telegram, first spotted by crimefighters in April 2026.

REG AD

"Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities," the FBI said in its announcement.Phishing kits aren't new. Different flavors are always in development, but the good ones can be especially problematic for organizations.Kali365 lets attackers send convincing phishing emails that impersonate "trusted cloud productivity and document-sharing services," - Adobe Acrobat Sign, DocuSign, and SharePoint - according to security shop Arctic Wolf.That email contains a device code and instructions for the target to enter the code into a legitimate Microsoft page, a hyperlink for which is included in the email.Entering that code registers the attacker's device to the unwitting target's M365 account, effectively surrendering access to emails, Teams, and all the rest of it. No MFA required.Arctic Wolf published a deep dive on Kali365 back in April, noting that it also offers adversary-in-the-middle (AitM) capabilities that are distinct from the device code phishing described by the FBI.The second attack Kali365 enables leads to the same outcome, accessing Microsoft accounts while bypassing MFA, just through slightly different mechanics.Victims are sent an initial phishing email containing a cookie-based lure, which transparently proxies their browser via attacker-controlled infrastructure, Arctic Wolf said. Requests are then forwarded to a real Microsoft login page, and responses are beamed back to the victim, who authenticates the typical way using their valid credentials, passing Microsoft MFA.

REG AD

Session cookies, related artifacts, and other session information are scooped up during this process and stored in the Kali365 attacker panel. From there, attackers can generate scripts to replay those sessions in their own environment, effectively borrowing the genuine user's session.The researchers' analysis of Kali365 revealed three distinct tiers for subscribers. MORE CONTEXT Hundreds of orgs compromised daily in Microsoft device code phishing attacks

Crims hit the easy button for Scattered-Spider style helpdesk scams

One criminal, 50 hacked organizations, and all because MFA wasn't turned on

Death to one-time text codes: Passkeys are the new hotness in MFA

The lowest Client Tier is for individual attackers, who can change the branding on the panels to give each a bespoke look while sporting the same underlying powers. The Agent Tier is for resellers who can provision and manage their own branded Kali365 panels and Client Tiers. The Admin Tier is reserved for Kali365's developers. Kali365 has a simple pricing structure: $250 per month per tenant, or $2,000 for a year. It supports an array of languages: Arabic, Chinese, Dutch, English, French, German, Italian, Japanese, Korean, Polish, Portuguese, Russian, Spanish, and Turkish. Since emerging in April, Kali365 has often been mentioned in the same breath as EvilTokens, another device code phishing platform that hit headlines weeks earlier after Microsoft confirmed hundreds of compromises each day."Each campaign is distributed at scale, targeting hundreds of organizations with highly varied and unique payloads, making pattern-based detection more challenging," Tanmay Ganacharya, VP of security research at Microsoft, told The Register."We continue to observe high-volume activity, with hundreds of compromises occurring daily across affected environments." Both Arctic Wolf and the FBI suggested organizations at risk should use conditional access policies to block device code flow where not required.

REG AD

Defenders should also consider blocking authentication transfer policies, which let users move authentication between devices such as PCs and phones.  ®

cyber-crime

REG AD

Ucell and ZTE complete large-scale deployment of AI‑Powered green network solution in Uzbekistan

Network-wide rollout boosts energy efficiency by 10.6%, cutting carbon emissions and operational costs without compromising user experience

SaaS

The SaaS-pocalypse can wait, Salesforce still has customers where it wants them

AI coding agents may make software cheaper to build, but switching off major platforms remains expensive, risky, and deeply annoying

ZTE Day Indonesia 2026 strengthens AI innovation and digital infrastructure collaboration to accelerate Indonesia's digital transformation

The annual tech showcase highlights next-gen AI, cloud, and future-ready ICT solutions while uniting ecosystem partners to build the foundation for the nation's AI era

Personal Tech

HP customer claims firmware update shoved printer off support cliff

Internal notes point to cloud connectivity woes for older OfficeJets, though company denies systemic issue

Columnists

Utah tells porn sites to take the P out of VPNs, and it's their fault that they can't

Governments can't touch VPNs technically or commercially. The mess they'll make if they try will be off the scale

Systems

EU's digital sovereignty boo-boo may be the best thing to ever happen to the project

DIY or die. Just don't let the CIA buy it

MOST POPULAR

Security