Phishing‑as‑a‑Service Kit Kali365 Hijacks Microsoft 365 Accounts, Bypassing MFA Without Passwords
What Happened – The FBI issued an advisory on a new phishing‑as‑a‑service platform, Kali365, that steals OAuth tokens via Microsoft’s “device code flow.” By tricking users into authorising a malicious device, attackers obtain full access to Outlook, Teams, OneDrive and other 365 services without ever needing a password or MFA prompt.
Why It Matters for TPRM –
- MFA alone no longer guarantees protection against credential‑theft attacks.
- The service is sold as a subscription, meaning any low‑skill third‑party could launch large‑scale campaigns.
- Compromise of a single Microsoft 365 account can cascade to other SaaS applications via token reuse.
Who Is Affected – Enterprises that rely on Microsoft 365 (email, collaboration, file storage) across all sectors, especially those with remote workforces and third‑party integrations.
Recommended Actions –
- Review and tighten OAuth token issuance policies (e.g., enforce conditional access, limit token lifetimes).
- Deploy user‑education campaigns that highlight the “device code flow” abuse scenario.
- Implement real‑time token monitoring and anomaly detection for privileged accounts.
Technical Notes – Attack vector: phishing email → legitimate Microsoft verification page → user‑entered device code → attacker receives OAuth access token. No password or MFA challenge is required. The kit includes AI‑generated lures, campaign dashboards, and token‑capture modules. Source: Bitdefender Blog – FBI warns of Kali365 phishing kit