HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Kali365 Phishing‑as‑a‑Service Bypasses MFA to Harvest Microsoft 365 OAuth Tokens

Kali365, a new phishing‑as‑a‑service platform sold on Telegram, tricks Microsoft 365 users into authorising malicious device codes, capturing OAuth access and refresh tokens and bypassing MFA. The threat poses a high‑risk token‑theft scenario for any organization that relies on Microsoft 365 for collaboration and identity federation.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 helpnetsecurity.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
helpnetsecurity.com

New Phishing‑as‑a‑Service Platform Kali365 Bypasses MFA to Harvest Microsoft 365 OAuth Tokens

What Happened — A criminal‑as‑a‑service operation named Kali365, distributed via Telegram, is delivering AI‑generated phishing lures that trick Microsoft 365 users into authorising a malicious device code. The flow captures OAuth access and refresh tokens, giving attackers persistent access to Outlook, Teams, OneDrive and other services without needing passwords or additional MFA prompts.

Why It Matters for TPRM

  • Token‑theft circumvents traditional credential‑based controls, exposing downstream SaaS integrations.
  • The service lowers the skill bar, meaning many third‑party vendors could be compromised without sophisticated attack teams.
  • Persistent token access can be leveraged to exfiltrate data, modify shared documents, or impersonate users in supply‑chain workflows.

Who Is Affected — Cloud‑based productivity SaaS providers (Microsoft 365), their enterprise customers, and any downstream vendors that rely on Microsoft 365 APIs for collaboration, document management, or identity federation.

Recommended Actions

  • Enforce Conditional Access policies that block token issuance from unknown client IDs and require compliant devices.
  • Deploy real‑time token monitoring and revocation tools (e.g., Microsoft Entra ID risk detection).
  • Conduct phishing awareness training focused on device‑code attacks and verify URLs before entering codes.
  • Review third‑party contracts for MFA and token‑management clauses; require vendors to implement token‑lifecycle controls.

Technical Notes — Attack vector: device‑code phishing (OAuth token capture). No CVE is involved; the threat exploits legitimate Microsoft authentication flows. Stolen data: OAuth access and refresh tokens granting read/write access to Exchange, Teams, SharePoint, OneDrive. Source: Help Net Security

📰 Original Source
https://www.helpnetsecurity.com/2026/05/22/kali365-microsoft-365-phishing-fbi-warning/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →