Ethical Hacking News
The FBI has issued a warning about a sophisticated phishing-as-a-service platform, known as Kali365, that is targeting Microsoft 365 accounts. This platform uses device code phishing to gain access to Microsoft Entra and Microsoft 365 accounts, and its widespread adoption poses a significant threat to organizations using these services. To protect against this threat, companies must take proactive measures to prevent such attacks and ensure the security of their users' sensitive information.
The FBI has warned about Kali365, a sophisticated phishing-as-a-service platform targeting Microsoft 365 accounts using device code phishing. Kali365 was first reported in April 2026 and is distributed via Telegram channels for cybercriminals. The platform gives attackers full access to compromised user's single-sign-on account, including Microsoft 365, Salesforce, or other cloud SaaS platforms. The FBI warns that Kali365 provides advanced phishing capabilities, including AI-generated lures and automated campaign templates. Security researchers have reported widespread campaigns targeting organizations worldwide using Kali365. The platform operates as a business with admins, resellers, and affiliates conducting phishing attacks. The FBI recommends companies restrict or block device code authentication flows and audit existing device code usage.
The FBI has issued a warning about a sophisticated phishing-as-a-service platform, known as Kali365, that is targeting Microsoft 365 accounts. This platform uses device code phishing, an increasingly popular method that abuses Microsoft's legitimate OAuth 2.0 Device Authorization grant flow to gain access to Microsoft Entra and Microsoft 365 accounts.
According to the FBI Public Service Announcement (PSA), Kali365 first emerged in April 2026 and is distributed via Telegram channels for cybercriminals seeking an easier way to compromise Microsoft 365 accounts without stealing passwords or intercepting MFA codes. The platform uses device code phishing, which involves tricking victims into entering a short code on Microsoft's login page to gain access to their account.
The threat actors now have full access to all applications the user normally has access to via their single-sign-on account, including Microsoft 365, Salesforce, or any other cloud SaaS platforms. They are then used to steal data from the compromised accounts.
The FBI warns that Kali365 gives even low-skilled attackers access to advanced phishing capabilities, including AI-generated phishing lures, automated campaign templates, real-time victim-tracking dashboards, and token-capture functionality.
Security researchers at Arctic Wolf reported on Kali365 activity in April after observing a widespread campaign targeting organizations worldwide. The researchers said that the campaigns primarily targeted Microsoft 365 environments using phishing emails that directed victims to Microsoft's device code login portal, where they unknowingly authorized attackers to access their accounts.
In some of the attacks, attackers also registered new devices in victims' Microsoft environments, further extending their access to the breached network. Arctic Wolf found that Kali365 operates as a business, with admins who manage product development, resellers who promote the service to other threat actors, and affiliates who conduct phishing attacks.
The researchers say the platform offers two separate attack modes, with the first being device code phishing and the second being an adversary-in-the-middle (AitM) mode named "Cookie Link." Cookie Link proxies victims through attacker-controlled infrastructure that captures authenticated browser sessions, session cookies, and tokens after targets log in and solves MFA challenges.
The FBI recommends companies restrict or completely block device code authentication flows using Conditional Access policies where possible, audit existing device code usage, and block authentication transfer policies that allow authentication sessions to move between devices. The agency also urged impacted organizations to report incidents to the Internet Crime Complaint Center and preserve phishing emails, suspicious login information, and unauthorized device registrations.
The use of device code phishing has seen widespread adoption in 2026, with other threat actors and platforms now using it as part of their phishing campaigns and attacks. This includes the EvilTokens PhaaS and Tycoon2FA, which are also using it to compromise Microsoft 365 and Entra accounts.
In conclusion, the Kali365 phishing-as-a-service platform poses a significant threat to organizations that use Microsoft 365 accounts. Its sophisticated features and widespread adoption make it a valuable tool for cybercriminals seeking to exploit vulnerabilities in these accounts. It is essential for companies to take proactive measures to prevent such attacks and protect their users' sensitive information.
Related Information:
https://www.ethicalhackingnews.com/articles/FBI-Warns-of-Sophisticated-Phishing-as-a-Service-Platform-Targeting-Microsoft-365-Accounts-ehn.shtml
https://www.bleepingcomputer.com/news/security/fbi-warns-of-kali365-phishing-service-targeting-microsoft-365-accounts/
Published: Mon May 25 09:17:38 2026 by llama3.2 3B Q4_K_M
