On May 21, 2026, the FBI issued a public warning about a phishing-as-a-service platform called Kali365 that has been quietly making its way through enterprise Microsoft 365 environments since April. As BleepingComputer reported, Kali365 is not a traditional credential harvesting tool. It does not need your password. It does not need to intercept your MFA code. It abuses a legitimate authentication flow to steal OAuth tokens directly, and once it has those tokens, it has persistent access to your Outlook, Teams, and OneDrive without ever triggering another authentication challenge.
The FBI warning did not arrive in a vacuum. Device code phishing had already hit more than 340 Microsoft 365 organizations across five sectors earlier in the year. Kali365 is the commercial infrastructure that industrializes that technique and puts it within reach of anyone willing to pay $250 a month on Telegram.
How Kali365 works
The attack does not look like a traditional phishing campaign. There is no credential harvest page. No fake login portal. No MFA intercept. The FBI's official PSA describes a four-step process that exploits a legitimate Microsoft authentication flow called OAuth device code authorization, a feature originally designed to allow devices without keyboards, such as smart TVs or printers, to authenticate to Microsoft 365.
Here is how it plays out in practice:
The attacker initiates a device code flow on their end and generates a short alphanumeric code. They send a phishing email impersonating a trusted enterprise service, typically a cloud productivity or document-sharing platform, that instructs the target to visit a real Microsoft verification page and enter the code. The page is not fake. It is the actual Microsoft device authorization portal. The target pastes in the code, thinking they are completing a routine authentication step. At that moment, the attacker's session is authorized.
The attacker captures the OAuth access token and, more critically, the refresh token. Access tokens expire. Refresh tokens do not, or at least not before the attacker has used them to establish persistence. From that point forward, the attacker can access the target's Microsoft 365 environment, move through Outlook, Teams, and OneDrive, read emails, access shared files, and move laterally without a password or any additional MFA challenge. The legitimate user has no indication anything happened.
Kali365 packages this entire operation into a subscription service. For $250 for 30 days or $2,000 for a full year, subscribers get AI-generated phishing lures tailored to enterprise targets, automated campaign templates, real-time tracking dashboards showing which targets have authorized the device code, and a token library that stores captured OAuth access and refresh tokens and makes them available for reuse across the platform's affiliate network.
[CALLOUT BOX: How Kali365 Works]
- Step 1: Attacker initiates device code flow and generates authorization code
- Step 2: Phishing email sent impersonating trusted enterprise service, directing target to real Microsoft verification page
- Step 3: Target enters code on legitimate Microsoft page, unknowingly authorizing attacker's device
- Step 4: Attacker captures OAuth access and refresh tokens. Persistent access to Outlook, Teams, OneDrive established. No password or MFA required.
- Subscription cost: $250 for 30 days, $2,000 per year, distributed via Telegram
- Follow-on activity: Data theft, fraud, extortion, ransomware
Why MFA does not stop this
The reason Kali365 is notable is not just the scale of the campaign. It is what the attack reveals about the limits of MFA as a security control.
Most enterprise security programs treat MFA as the primary defense against account compromise. The assumption is that even if a password is stolen, the attacker cannot authenticate without the second factor. Kali365 bypasses that assumption entirely because it never touches the password or the second factor. It abuses the authorization flow that runs underneath them.
This is not a vulnerability in MFA. The feature Kali365 exploits is working exactly as designed. The problem is that the trust model built around OAuth tokens assumes those tokens remain in the hands of the entity that was authorized. When an attacker tricks a user into authorizing their session, that assumption breaks. The token is valid. The session is legitimate. The access is real. And the security tooling that watches for failed logins, brute force attempts, or MFA fatigue attacks sees nothing, because from its perspective, everything went through correctly.
A CSA research note published in March 2026 described device code phishing as weaponizing a legitimate protocol feature to harvest Microsoft 365 access tokens without requiring credential theft. The note identified more than 340 organizations targeted across five sectors since February alone. Kali365 is the next evolution of that campaign, with a commercial subscription model that puts it within reach of threat actors who would not otherwise have the technical capability to execute it.
The token is the identity
The deeper issue this attack exposes is one that goes beyond Microsoft 365. OAuth tokens are non-human identities. They carry permissions. They grant access. They authenticate to services. And in most enterprise environments, they are not monitored with anything close to the rigor applied to human user accounts.
Vorlon's 2026 CISO Report found that 89.2% of CISOs claim strong OAuth token governance. Yet 27.4% of those same organizations were breached through compromised OAuth tokens in 2025. That gap between confidence and reality reflects the difference between knowing a token exists and monitoring what that token actually does at runtime.
This is where behavioral detection becomes relevant. Vorlon cannot prevent the phishing email from landing. It cannot stop a user from entering the device code. Those problems belong to email security tooling, conditional access policies, and security awareness training. What Vorlon addresses is what happens after the token has been issued and the attacker starts using it.
A stolen Kali365 token looks identical to a legitimate one at the point of issuance. It passes authentication, carries the correct scopes, and originates from what appears to be a valid session. The only available signal is behavioral. Does this token normally access Teams at 2 AM? Does it typically authenticate from this geography? Is it pulling email at a volume consistent with its established baseline? Is it suddenly touching SharePoint or OneDrive folders it has never accessed before?
Vorlon establishes behavioral baselines for every OAuth token in your environment as a non-human identity. When a token starts operating outside that baseline after a Kali365 compromise, that deviation is detectable in real time. And when the token needs to be revoked, the Vorlon integrations layer supports cross-platform revocation through two-click remediation in the Action Center, revoking access across every connected service simultaneously rather than requiring manual intervention in each platform individually.
The window between token capture and breach containment is where the damage happens. Behavioral detection and fast cross-platform response are what close it.
What security teams should do now
Restrict or monitor device code flow. The FBI's PSA is direct on this point. Create a conditional access policy to block device code flow for all users, with limited exceptions for business processes that genuinely require it. Before implementing the policy, audit existing device code flow usage to identify legitimate dependencies. If you cannot block it entirely, monitor it closely.
Audit your OAuth token inventory. Know which tokens exist in your environment, what scopes they carry, when they were issued, and when they were last used. Long-lived refresh tokens with broad scopes that have not been reviewed recently are high-value targets. Revoke anything that cannot be attributed to a legitimate, active business process.
Build alerting on token behavioral anomalies. Authentication events are not enough. You need visibility into what tokens do after the authorization event: which services they access, from which locations, at what times, and at what volume. Build SIEM alerting rules that flag tokens accessing services from new geographies, during anomalous hours, or at unusual data volumes.
Train employees specifically on device code phishing. This attack succeeds because employees do not recognize the authorization step as dangerous. A standard anti-phishing training program that focuses on credential harvest pages will not cover this scenario. Add device code phishing to your security awareness curriculum with explicit examples of what the authorization page looks like and why entering a code from an email is never a safe action.
Review your incident response playbook for token-based compromise. When a credential is compromised, the response is to reset the password. When a token is compromised, the response is to revoke the token across every platform it has access to. Those are different procedures, and they need to be documented, tested, and understood by your SOC before an incident happens.
Kali365 is a $250 subscription. The access it provides to a compromised Microsoft 365 environment is not bounded by that price point. The follow-on risk includes data theft, business email compromise, lateral movement across connected SaaS applications, and ransomware. MFA is not the last line of defense. It never was. Behavioral monitoring of the tokens that authentication produces is where the real signal lives.
.png?width=329&height=222&name=blog%20451%20why%20saas%20and%20ai%20are%20converged%20(1).png)
