FBI Warns of Kali365 PhaaS Targeting Microsoft 365 Accounts

The Federal Bureau of Investigation (FBI) has issued a warning regarding the emergence of Kali365, a sophisticated Phishing-as-a-Service (PhaaS) platform. This service specifically targets Microsoft 365 environments, enabling less-skilled attackers to conduct high-impact account takeovers. According to BleepingComputer, the platform utilizes a TTP that leverages the Microsoft OAuth device code authentication flow to circumvent multi-factor authentication (MFA) and steal session tokens.

The Rise of Kali365 Phishing-as-a-Service

The Kali365 platform operates on a subscription model, providing malicious actors with the necessary infrastructure to launch campaigns without requiring deep technical expertise in session hijacking. The primary vector involves abusing the ‘Device Code Flow,’ a protocol designed for devices with limited input capabilities, such as smart TVs, printers, or IoT devices. In a corporate setting, this flow allows a user to sign into their account from a secondary device by entering a short alphanumeric code on a legitimate Microsoft login page.

In a typical Kali365-driven attack, the threat actor initiates a sign-in request to Microsoft 365, which generates a unique device code. Through targeted Phishing emails, the attacker directs the victim to a legitimate Microsoft authentication page and provides the generated code. Because the victim is interacting with a genuine Microsoft domain, traditional EDR and email filters often fail to flag the activity as malicious. Once the victim enters the code and completes the MFA challenge on their own trusted device, the C2 infrastructure controlled by the Kali365 operator receives the authenticated session token. This allows the attacker to gain full access to the victim’s account and perform Privilege Escalation or data exfiltration.

Microsoft 365 OAuth Device Code Flow Security

The danger of this approach lies in its ability to bypass standard MFA. Since the user provides the second factor on their own device during the legitimate login flow, the identity provider considers the request valid. The resulting token allows the attacker to maintain persistence within the environment without ever knowing the user’s password. Monitoring for Microsoft 365 OAuth device code flow security is now a priority for cloud administrators.

How to Detect Kali365 Phishing and Session Hijacking

Security teams must adapt their monitoring strategies to identify these anomalies. Implementing specific detection logic within a SIEM is vital. Analysts should look for sign-in logs where the ‘Authentication Protocol’ is identified as ‘Device Code.’ Furthermore, cross-referencing these logs with unusual geographic locations or mismatched User-Agent strings can serve as a primary IoC.

Organizations researching how to detect Kali365 phishing should prioritize the analysis of Entra ID sign-in logs. Specifically, look for successful logins where the ‘Device Detail’ indicates a device that does not match the user’s standard profile. Since the attacker is using the token from a different system, the SOC might observe a sudden shift in the IP address associated with an active session, which is a classic sign of token theft.

Why the Kali365 PhaaS Mitigation Steps are Essential

To protect against these threats, defenders should focus on hardening their identity infrastructure. Unless there is a specific business requirement for devices like conference room systems to use the device code flow, it should be disabled via Conditional Access policies. Restricting the flow ensures that attackers cannot use the Kali365 platform to generate codes that users can then validate. Following these Kali365 PhaaS mitigation steps will significantly reduce the surface area available for these types of session-based attacks and preserve the integrity of the corporate identity perimeter.