The FBI is warning about the Kali365 phishing-as-a-service platform (PhaaS) that is used to hijack Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass multi-factor authentication (MFA).
According to the FBI PSA, Kali365 first emerged in April 2026 and is distributed via Telegram channels for cybercriminals seeking an easier way to compromise Microsoft 365 accounts without stealing passwords or intercepting MFA codes.
The platform uses device code phishing, an increasingly popular method that abuses Microsoft's legitimate OAuth 2.0 Device Authorization grant flow to gain access to Microsoft Entra and Microsoft 365 accounts.
This authentication method was created to allow devices with limited input capabilities, such as smart TVs, conference room systems, streaming devices, printers, and IoT devices, to authenticate via another device using a short code at Microsoft's device code login portal, http://microsoft.com/devicelogin.
Device code authentication formSource: BleepingComputer
