Kali365 Phishing‑as‑a‑Service Bypasses MFA to Harvest Microsoft 365 Tokens
What Happened — A new phishing‑as‑a‑service platform named Kali365 is selling token‑stealing campaigns that let low‑skill attackers hijack Microsoft 365 accounts. By luring victims to a legitimate Microsoft device‑code page, the kit captures OAuth access and refresh tokens, effectively bypassing multi‑factor authentication (MFA).
Why It Matters for TPRM —
- MFA is no longer a guarantee of protection when refresh tokens are exfiltrated.
- Compromised tokens grant persistent, silent access to Outlook, Teams, OneDrive, and SharePoint, enabling data theft and business‑email‑compromise (BEC) from a trusted address.
- The service is sold openly, meaning any third‑party vendor that integrates Microsoft 365 (e.g., SaaS providers, MSPs, payroll platforms) could be an indirect attack surface.
Who Is Affected — All organizations and individuals using Microsoft 365 (Outlook, OneDrive, Teams, SharePoint), spanning finance, healthcare, education, government, and any sector that relies on Microsoft cloud services.
Recommended Actions —
- Review all third‑party contracts that involve Microsoft 365 access and confirm token‑revocation procedures.
- Enforce Conditional Access policies that require device compliance or risk‑based sign‑in controls.
- Deploy token‑monitoring solutions (e.g., Azure AD sign‑in risk, anomalous token usage alerts).
- Conduct user awareness training focused on device‑code phishing flows.
Technical Notes — The kit uses a legitimate Microsoft device‑code URL, tricks users into approving an OAuth consent screen, and harvests both access and refresh tokens. No password is entered, so traditional phishing detection that looks for credential‑stealing forms may miss it. Tokens remain valid until revoked or expired, providing long‑term access without further user interaction. Source: Malwarebytes Labs