Full Report
The FBI is warning about the Kali365 phishing-as-a-service platform (PhaaS) that is used to hijack Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass multi-factor authentication (MFA). [...]
Analysis Summary
# Incident Report: Kali365 Phishing-as-a-Service (PhaaS) Platform
## Executive Summary
The FBI has issued a warning regarding Kali365, a burgeoning Phishing-as-a-Service (PhaaS) platform designed to hijack Microsoft 365 and Entra ID accounts. The service leverages OAuth device code authentication and Adversary-in-the-Middle (AitM) techniques to bypass Multi-Factor Authentication (MFA) and steal session tokens. Since its emergence in early 2026, the platform has enabled even low-skilled threat actors to conduct advanced credential theft campaigns against organizations worldwide.
## Incident Details
- **Discovery Date:** April 2026
- **Incident Date:** Ongoing activity since April 2026
- **Affected Organization:** Multiple global organizations
- **Sector:** Cross-sector (Global targeting)
- **Geography:** Worldwide
## Timeline of Events
### Initial Access
- **Date/Time:** April 2026 – Present
- **Vector:** Phishing via email and social engineering (including "vishing").
- **Details:** Attackers initiate a legitimate Microsoft OAuth 2.0 Device Authorization flow to generate a code. They then lure victims into entering this code at the official Microsoft device login portal (microsoft[.]com/devicelogin).
### Lateral Movement
- Once authorized, attackers leverage single-sign-on (SSO) capabilities to move from Microsoft 365 into other connected SaaS platforms such as Salesforce. In some instances, attackers registered new unauthorized devices within the Microsoft environment to maintain and extend access.
### Data Exfiltration/Impact
- **Details:** Attackers gained full access to user mailboxes and cloud-stored data. Malicious inbox rules were created to hide unauthorized activity and facilitate further data theft or internal phishing.
### Detection & Response
- **Detection:** Identified by security researchers (Arctic Wolf) and the FBI through monitoring of cybercrime Telegram channels and observed widespread campaigns.
- **Response Actions:** The FBI issued a Public Service Announcement (PSA) providing mitigation strategies; security firms began tracking the platform's infrastructure and resellers.
## Attack Methodology
- **Initial Access:** Device Code Phishing and Adversary-in-the-Middle (AitM) "Cookie Link" mode.
- **Persistence:** Registration of unauthorized devices in the victim's Entra ID environment and creation of malicious inbox rules.
- **Privilege Escalation:** Not specified, but assumes the privileges of the compromised user account.
- **Defense Evasion:** Use of legitimate Microsoft infrastructure (Device Code flow) to bypass MFA and usage of inbox rules to hide presence.
- **Credential Access:** Theft of OAuth access tokens and session cookies.
- **Discovery:** Real-time victim-tracking dashboards provided to PhaaS affiliates.
- **Lateral Movement:** Abuse of SSO to access integrated cloud applications.
- **Collection:** Automated collection of session tokens and mailbox data.
- **Exfiltration:** Proxying of authenticated sessions through attacker-controlled infrastructure.
- **Impact:** Full account takeover and data breach.
## Impact Assessment
- **Financial:** Undisclosed, but significant risks due to PhaaS accessibility for low-skilled actors.
- **Data Breach:** Risk to all data hosted in Microsoft 365, Salesforce, and integrated SaaS suites.
- **Operational:** Potential for business email compromise (BEC) and unauthorized device enrollment.
- **Reputational:** Public warning by the FBI indicates a high-priority threat to corporate trust.
## Indicators of Compromise
- **Network Indicators:**
- Traffic to `microsoft[.]com/devicelogin` from unexpected or non-IoT devices.
- Known PhaaS backend infrastructure (specific IPs/URLs usually shared via private intel feeds).
- **Behavioral Indicators:**
- Successful logins from the `Universal Store Native Client` or other OAuth applications not typically used by the employee.
- Unexpected creation of "MoveToFolder" or "Delete" inbox rules.
- New device registrations from unfamiliar locations.
## Response Actions
- **Containment:** Revoking all active session tokens for suspected accounts and removing unauthorized devices from Entra ID.
- **Eradication:** Deleting malicious mail flow/inbox rules and resetting compromised credentials.
- **Recovery:** Restoring normal mail flow and monitoring logs for re-entry attempts.
## Lessons Learned
- **MFA Vulnerability:** Traditional MFA is not a silver bullet; attackers are increasingly using session-theft and device-code abuse to circumvent these layers.
- **Protocol Misuse:** Legitimate features (like Device Code flow) designed for convenience (e.g., Smart TVs) can be weaponized against standard workstations.
## Recommendations
- **Restrict Device Code Flow:** Use Microsoft Entra Conditional Access policies to block or restrict device code authentication to only necessary device types.
- **Block Authentication Transfer:** Disable policies that allow authentication sessions to move between different devices.
- **Continuous Monitoring:** Audit logs for the `Cross-domain device code` login type and monitor for new, unauthorized device registrations.
- **User Education:** Train employees to never enter codes into the Microsoft device login portal unless they are actively setting up a physical, limited-input device.