A new federal cyber warning has put Kali365 on the security radar after the phishing-as-a-service platform emerged as a tool for stealing Microsoft 365 access tokens and bypassing multi-factor authentication.
Kali365 was first seen in April 2026 and has primarily been distributed through Telegram. The platform gives lower-skilled attackers access to AI-generated phishing lures, automated campaign templates, real-time target tracking dashboards and OAuth token capture capabilities.
The attack does not need to intercept a victim’s password in the usual way. Instead, the victim is pushed into a device-code flow that can involve a legitimate Microsoft verification page. Once the target enters the code, the attacker can capture OAuth access and refresh tokens, giving access to Microsoft 365 services such as Outlook, Teams and OneDrive without forcing another MFA challenge.
That makes Kali365 more dangerous than a basic credential-phishing page. A user may believe the process is safer because the login page is real and MFA has already been completed. In practice, the attacker is trying to obtain the session authority behind the account, not simply a reusable password.
For crypto users, founders, exchanges and treasury teams, the risk is indirect but serious. A compromised Microsoft 365 account can expose invoices, investor messages, exchange correspondence, cloud documents, internal files, legal records and password-reset trails. The alert is not a confirmed crypto-theft campaign, but email and collaboration-account takeovers often become the starting point for financial fraud, impersonation, payroll diversion, vendor scams and account recovery abuse.
Device-Code Abuse Changes The Phishing Problem
Kali365 fits a broader shift in phishing from fake login pages toward abusing legitimate identity flows. Device-code authentication was built for devices that cannot easily handle normal browser-based sign-ins. Attackers exploit that workflow by convincing targets to authorize a session the attacker controls.
Microsoft has already treated device-code authentication as a high-risk flow that organizations should restrict where possible. Admins can block device code flow with Conditional Access policies, audit existing usage first, and only allow documented exceptions for business processes that genuinely need it.
That recommendation lines up with the Kali365 alert. Organizations can reduce exposure by restricting device-code flow, blocking authentication transfer policies, reviewing active sessions and watching for suspicious logins, unauthorized devices, unusual IPs and unexpected access to Outlook, Teams or OneDrive.
The user-side warning is simpler. A device code should not be treated like a harmless one-time confirmation if the request came from an unexpected email, chat message, shared document or support contact. Users should verify the request through a trusted channel before entering any code, even when the destination page looks legitimate.
Crypto users already face direct wallet threats from fake recovery tools, drainers and wallet scanner scams that collect fees from users. Kali365 works through a different path. It does not need a seed phrase to create damage if it can reach the inbox, files and business identity layer around a crypto account.
The immediate response is defensive hygiene rather than panic. Teams using Microsoft 365 should review device-code flow exposure, revoke suspicious sessions, check OAuth app activity, tighten Conditional Access rules and report suspected compromise through IC3 with phishing emails, headers, suspicious login details and any unauthorized devices or active sessions. Kali365 turns a normal-looking authorization step into the attack surface, which makes the final user prompt and the admin policy behind it the two places where the fraud can still be stopped.
Be the first to comment