Microsoft 365 Users Targeted by Kali365 MFA Bypass Phishing Campaigns
Cybercriminals are using the Kali365 phishing service to hijack Microsoft 365 accounts by bypassing MFA through OAuth device code abuse.
FBI Issues Alert on Kali365 Phishing Service
The FBI has warned organizations about a growing phishing-as-a-service platform called Kali365. Attackers use the service to compromise Microsoft 365 accounts while bypassing multi-factor authentication (MFA).
According to the agency, Kali365 appeared in April 2026 and quickly gained popularity in cybercriminal communities on Telegram. The platform allows even low-skilled attackers to launch advanced phishing campaigns against Microsoft environments.
Attackers Abuse OAuth Device Code Authentication
Kali365 abuses Microsoft’s OAuth 2.0 Device Authorization flow, also known as device code authentication.
Microsoft originally designed this feature for devices with limited input capabilities. Smart TVs, conference systems, printers, and IoT devices often rely on this authentication method.
The attack starts when threat actors generate a legitimate Microsoft device authorization code. They then trick victims into entering the code through phishing emails or social engineering tactics.
Once the victim completes the login and MFA process, Microsoft issues an OAuth session token to the attacker. As a result, threat actors gain direct access to the victim’s Microsoft 365 environment without needing passwords or MFA codes.
Stolen Sessions Give Attackers Broad Access
Researchers say the stolen session tokens provide access to all applications connected through single sign-on accounts.
This access may include:
- Microsoft 365
- Microsoft Entra environments
- Salesforce
- Cloud SaaS platforms
- Corporate email systems
After gaining access, attackers often create malicious inbox rules to hide their activity. In some incidents, threat actors also registered unauthorized devices inside victim environments to maintain persistence.
Kali365 Operates Like a Cybercrime Business
Security researchers at Arctic Wolf reported widespread Kali365 campaigns targeting organizations worldwide.
Researchers discovered that Kali365 operates like a structured cybercrime business. The platform includes administrators, resellers, and affiliates who run phishing operations.
The service offers two attack methods:
- Device code phishing
- “Cookie Link” adversary-in-the-middle attacks
The “Cookie Link” feature captures authenticated browser sessions, session cookies, and access tokens after victims complete MFA challenges.
Additionally, the platform includes AI-generated phishing templates, automated attack tools, real-time victim tracking, and token capture capabilities.
Organizations Should Restrict Device Code Authentication
The FBI recommends restricting or disabling device code authentication wherever possible using Conditional Access policies.
Organizations should also:
- Audit device code authentication activity
- Monitor unauthorized device registrations
- Block authentication transfer policies
- Review suspicious login attempts
- Investigate abnormal mailbox rule creation
The warning highlights a growing shift in phishing tactics. Instead of stealing passwords, attackers now focus on stealing authenticated sessions and OAuth tokens.
For businesses across the UAE and GCC, the threat demonstrates why identity security, Zero Trust controls, and continuous monitoring remain critical for protecting cloud environments.