HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Kali365 Phishing‑as‑a‑Service Harvests Microsoft 365 OAuth Tokens, Bypassing MFA

The FBI has identified Kali365, a phishing‑as‑a‑service platform that leverages Microsoft’s OAuth device‑code flow to steal access tokens and sidestep MFA. The service is sold on Telegram, enabling low‑skill actors to hijack Microsoft 365 and any SaaS applications accessed via Azure AD SSO, creating a broad third‑party risk.

LiveThreat™ Intelligence · 📅 May 25, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Kali365 Phishing‑as‑a‑Service Harvests Microsoft 365 OAuth Tokens, Bypassing MFA

What Happened — The FBI disclosed a new phishing‑as‑a‑service platform, Kali365, that abuses Microsoft’s OAuth 2.0 device‑code flow to steal access tokens and bypass multi‑factor authentication. The service is sold on Telegram, giving low‑skill actors a turnkey way to hijack Microsoft 365, Entra, and any SaaS applications accessed via Azure AD SSO.

Why It Matters for TPRM

  • Token‑based compromise grants attackers full SSO access to all cloud services a user can reach, expanding the attack surface beyond the compromised mailbox.
  • MFA is effectively neutralized, eroding a core control many third‑party risk programs rely on.
  • The “plug‑and‑play” model lowers the barrier for threat actors, increasing the likelihood of widespread credential theft across vendor ecosystems.

Who Is Affected — Enterprises that use Microsoft 365 / Entra, SaaS providers integrated via Azure AD SSO (e.g., Salesforce, ServiceNow), and any downstream vendors that trust those identities.

Recommended Actions

  • Review and, where possible, disable the OAuth device‑code grant for accounts that do not need it.
  • Enforce conditional‑access policies that block token issuance from unknown or unmanaged devices.
  • Deploy real‑time monitoring for anomalous token creation and enforce token‑revocation on suspicious activity.
  • Conduct targeted phishing awareness training that highlights the legitimate microsoft.com/devicelogin URL and the danger of authorizing unknown clients.

Technical Notes — Attack vector: phishing emails that direct victims to Microsoft’s device‑code login portal, where the attacker‑controlled client obtains an OAuth access token after the user completes MFA. No public CVE; the abuse leverages a legitimate Microsoft OAuth flow. Compromised data can include email, documents, and any SaaS resources accessed through SSO. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/fbi-warns-of-kali365-phishing-service-targeting-microsoft-365-accounts/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →