**Kali365**: A Growing Threat to Microsoft 365 According to the **FBI PSA**, **Kali365** emerged in April 2026 and is distributed through **Telegram** channels, targeting cybercriminals seeking an easy way to compromise **Microsoft 365** accounts without directly stealing passwords or intercepting MFA codes. This underscores the increasing sophistication and accessibility of phishing tools. Device Code Phishing: Exploiting Legitimate Protocols The platform exploits device code phishing, a method that abuses **Microsoft's** legitimate OAuth 2.0 Device Authorization grant flow. This flow is intended for devices with limited input capabilities, such as smart TVs and IoT devices, allowing them to authenticate via another device using a short code at `http://microsoft.com/devicelogin`.  *Device code authentication form. Source: BleepingComputer* As **BleepingComputer** reported in February, threat actors, including the **ShinyHunters** group, have been targeting **Microsoft Entra** accounts using device-code and voice phishing. Attackers initiate the device authorization process, generate a code, and trick victims into entering it on **Microsoft's** login page via social engineering. Once the victim enters the code and completes MFA, **Microsoft** issues an OAuth access token, granting the attacker full account access without further MFA challenges. Kali365's Advanced Features The **FBI** highlights that **Kali365** provides even novice attackers with advanced phishing capabilities, including AI-generated phishing lures, automated campaign templates, real-time victim-tracking dashboards, and token-capture functionality. This lowers the barrier to entry for sophisticated phishing attacks. **Arctic Wolf** researchers reported on **Kali365** activity in April, observing a widespread campaign targeting organizations globally. These campaigns primarily targeted **Microsoft 365** environments, directing victims to **Microsoft's** device code login portal. Attackers gained access to mailboxes, creating malicious inbox rules to conceal their activity. Some attacks involved registering new devices within victims' **Microsoft** environments, further extending their access. Business Model and Attack Modes **Arctic Wolf** found that **Kali365** operates as a structured business, with admins, resellers, and affiliates. The platform offers two attack modes: device code phishing and an adversary-in-the-middle (AitM) mode named "Cookie Link." Cookie Link proxies victims through attacker-controlled infrastructure, capturing authenticated browser sessions, session cookies, and tokens after targets log in and solve MFA challenges. Mitigation Strategies The **FBI** recommends organizations restrict or block device code authentication flows using Conditional Access policies where possible, audit existing device code usage, and block authentication transfer policies. Impacted organizations should report incidents to the Internet Crime Complaint Center and preserve relevant data. Growing Trend in Phishing Device code phishing has gained traction in 2026, with platforms like **EvilTokens PhaaS** and **Tycoon2FA** also utilizing it to compromise **Microsoft 365** and **Entra** accounts. This indicates a broader shift towards exploiting legitimate authentication mechanisms for malicious purposes.