Kali365 Phishing‑as‑a‑Service Harvests Microsoft 365 OAuth Tokens, Bypassing MFA
What Happened — The FBI disclosed a new phishing‑as‑a‑service platform, Kali365, that abuses Microsoft’s OAuth 2.0 device‑code flow to steal access tokens and bypass multi‑factor authentication. The service is sold on Telegram, giving low‑skill actors a turnkey way to hijack Microsoft 365, Entra, and any SaaS applications accessed via Azure AD SSO.
Why It Matters for TPRM —
- Token‑based compromise grants attackers full SSO access to all cloud services a user can reach, expanding the attack surface beyond the compromised mailbox.
- MFA is effectively neutralized, eroding a core control many third‑party risk programs rely on.
- The “plug‑and‑play” model lowers the barrier for threat actors, increasing the likelihood of widespread credential theft across vendor ecosystems.
Who Is Affected — Enterprises that use Microsoft 365 / Entra, SaaS providers integrated via Azure AD SSO (e.g., Salesforce, ServiceNow), and any downstream vendors that trust those identities.
Recommended Actions —
- Review and, where possible, disable the OAuth device‑code grant for accounts that do not need it.
- Enforce conditional‑access policies that block token issuance from unknown or unmanaged devices.
- Deploy real‑time monitoring for anomalous token creation and enforce token‑revocation on suspicious activity.
- Conduct targeted phishing awareness training that highlights the legitimate
microsoft.com/deviceloginURL and the danger of authorizing unknown clients.
Technical Notes — Attack vector: phishing emails that direct victims to Microsoft’s device‑code login portal, where the attacker‑controlled client obtains an OAuth access token after the user completes MFA. No public CVE; the abuse leverages a legitimate Microsoft OAuth flow. Compromised data can include email, documents, and any SaaS resources accessed through SSO. Source: BleepingComputer