The FBI’s Internet Crime Complaint Center published a public service announcement on May 21 warning organisations about Kali365, a Phishing-as-a-Service platform that has been circulating via Telegram since April 2026. The kit is notable for one specific capability: it captures Microsoft OAuth device code tokens in a way that bypasses multi-factor authentication entirely, without ever touching the victim’s password.
The attack works by exploiting the OAuth 2.0 device code flow, a legitimate Microsoft authentication mechanism designed for devices without keyboards. Kali365 operators send phishing emails impersonating trusted cloud services and instruct victims to visit the real Microsoft verification page and enter a code. The victim authenticates against Microsoft’s genuine infrastructure and unknowingly authorises the attacker’s device. The resulting OAuth token grants the attacker persistent access to the Microsoft 365 tenant, including email, files, Teams, and any connected applications.
The mechanism sidesteps MFA because the victim completes a genuine Microsoft authentication challenge. The token issued is long-lived and does not require the attacker to know the victim’s credentials at any point. From the attacker’s perspective, the session is indistinguishable from a legitimate one. From the victim’s perspective, nothing unusual happened on their device.
Kali365 lowers the technical barrier significantly. The platform provides AI-generated phishing lures, automated campaign templates, real-time tracking dashboards, and token capture tooling for $250 per month per tenant or $2,000 annually. Operators do not need to understand OAuth internals to run effective campaigns. The FBI notes the platform has already been used in coordinated attacks against businesses across multiple sectors.
The implications for organisations running Microsoft 365 are direct. Conditional Access policies that rely solely on MFA prompts do not stop device code phishing. Effective controls require device code authentication to be blocked at the tenant level for users who have no legitimate reason to use it, combined with anomalous sign-in alerting for unexpected OAuth application grants and geographic login anomalies. Token lifetime policies also matter: shorter-lived tokens reduce the window an attacker has after a successful capture.
Microsoft 365 configuration is often treated as a one-time setup task rather than an ongoing security posture. Default tenant configurations typically leave device code flow enabled because a subset of enterprise tooling depends on it. Mapping which services genuinely require it and restricting it for everyone else is a concrete, low-disruption mitigation.
If your organisation uses Microsoft 365 and you are not certain whether device code authentication is restricted, or you want a review of your Conditional Access policies and token configuration, contact Excello Digital. We will audit your tenant configuration and give you a clear picture of your exposure.