3 hours ago
4
Cyber-Crime
MFA? No problem, says crimeware that tricks users into handing attackers the keys to M365
The FBI has issued a public service announcement warning about a new phishing kit that's stealing Microsoft OAuth tokens at an alarming rate.
OAuth token theft is a serious headache for organizations because stolen tokens can bypass multi-factor authentication (MFA) and grant access to privileged accounts within an organization without needing to know their credentials.
Think corporate espionage, data theft, maybe even ransomware.
The main culprit is Kali365, described as a phishing-as-a-service platform that's being peddled on Telegram, first spotted by crimefighters in April 2026.
"Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities," the FBI said in its announcement.
Phishing kits aren't new. Different flavors are always in development, but the good ones can be especially problematic for organizations.
Kali365 lets attackers send convincing phishing emails that impersonate "trusted cloud productivity and document-sharing services," - Adobe Acrobat Sign, DocuSign, and SharePoint - according to security shop Arctic Wolf.
That email contains a device code and instructions for the target to enter the code into a legitimate Microsoft page, a hyperlink for which is included in the email.
Entering that code registers the attacker's device to the unwitting target's M365 account, effectively surrendering access to emails, Teams, and all the rest of it. No MFA required.
Arctic Wolf published a deep dive on Kali365 back in April, noting that it also offers adversary-in-the-middle (AitM) capabilities that are distinct from the device code phishing described by the FBI.
The second attack Kali365 enables leads to the same outcome, accessing Microsoft accounts while bypassing MFA, just through slightly different mechanics.
Victims are sent an initial phishing email containing a cookie-based lure, which transparently proxies their browser via attacker-controlled infrastructure, Arctic Wolf said. Requests are then forwarded to a real Microsoft login page, and responses are beamed back to the victim, who authenticates the typical way using their valid credentials, passing Microsoft MFA.
Session cookies, related artifacts, and other session information are scooped up during this process and stored in the Kali365 attacker panel. From there, attackers can generate scripts to replay those sessions in their own environment, effectively borrowing the genuine user's session.
The researchers' analysis of Kali365 revealed three distinct tiers for subscribers.
The lowest Client Tier is for individual attackers, who can change the branding on the panels to give each a bespoke look while sporting the same underlying powers. The Agent Tier is for resellers who can provision and manage their own branded Kali365 panels and Client Tiers. The Admin Tier is reserved for Kali365's developers.
Kali365 has a simple pricing structure: $250 per month per tenant, or $2,000 for a year. It supports an array of languages: Arabic, Chinese, Dutch, English, French, German, Italian, Japanese, Korean, Polish, Portuguese, Russian, Spanish, and Turkish.
Since emerging in April, Kali365 has often been mentioned in the same breath as EvilTokens, another device code phishing platform that hit headlines weeks earlier after Microsoft confirmed hundreds of compromises each day.
"Each campaign is distributed at scale, targeting hundreds of organizations with highly varied and unique payloads, making pattern-based detection more challenging," Tanmay Ganacharya, VP of security research at Microsoft, told The Register.
"We continue to observe high-volume activity, with hundreds of compromises occurring daily across affected environments."
Both Arctic Wolf and the FBI suggested organizations at risk should use conditional access policies to block device code flow where not required.
Defenders should also consider blocking authentication transfer policies, which let users move authentication between devices such as PCs and phones. ®
English (US) ·