Kali365: The Next Wave of Account Takeovers

For immediate assistance with a network intrusion, ransomware
attack, or BEC, please contact: IrongateResponse@irongatesecurity.com  

The FBI recently warned about Kali365, a phishing service targeting Microsoft 365 accounts. The service is designed to capture OAuth access tokens by abusing Microsoft’s device code authentication flow. This makes the risk different from traditional credential phishing. The attacker does not need the user’s password if they can trick the user into authorizing access through a legitimate Microsoft workflow.

This matters because many small and medium sized businesses rely on Microsoft 365 for email, files, collaboration, finance workflows, and customer communications. A single compromised account can expose Outlook, Teams, OneDrive, SharePoint, invoices, contracts, internal conversations, and customer data. The impact can quickly move from account compromise to business email compromise, vendor fraud, data theft, and reputational harm.

MFA is still one of the most important controls a business can deploy, but Kali365 shows that MFA alone is not enough. In a device code phishing attack, the user may be sent to a real Microsoft page and asked to enter a code. If the user approves the prompt, the attacker receives access tokens. The login may look legitimate, the password may never be stolen, and MFA may appear to have worked as designed.

Herein lies the problem: The attack targets trust in the authentication process.

For SMBs, this creates a practical security gap. Many businesses have enabled MFA and believe that account takeover risk has been meaningfully reduced. In many cases, they have not reviewed device code flow, Conditional Access, token revocation procedures, mailbox rule monitoring, OAuth consent activity, or Microsoft 365 audit logs. The business has a control in place, but not enough surrounding visibility to detect when that control has been bypassed.

Kali365 also reduces the skill required to run these attacks. Phishing services continue to package infrastructure, templates, victim tracking, automation, and reporting into tools that less sophisticated attackers can operate. That is especially relevant for SMBs because they are frequent targets for financially motivated actors. The goal is usually not sophistication. The goal is access, speed, and a path to payment fraud or data theft.

Security teams should treat Kali365 as another signal that Microsoft 365 is part of the core security perimeter. It is not just an email platform. It is an identity, data, and business operations platform. It needs layered controls.

Recommended controls include:

• Review whether device code flow is needed in the environment. If it is not required, block it. If it is required, restrict it to documented use cases and specific users.
• Implement Conditional Access policies that limit authentication risk. Prioritize administrators, executives, finance users, HR, IT, and users with broad access to SharePoint or OneDrive.
• Require managed or compliant devices where possible. This reduces the ability for attackers to use stolen tokens from unmanaged systems.
• Monitor for unusual sign in activity, including unfamiliar locations, new devices, impossible travel, atypical applications, and device code authentication.
• Monitor mailbox rules, forwarding settings, delegated access, and unusual inbox behavior. These are common signs of business email compromise.
• Review OAuth application consent activity. Unexpected consent grants can provide persistent access that survives a password reset.
• Retain and review Microsoft 365 audit logs. Without logs, the business may not be able to determine what happened, what was accessed, or how long the attacker had access.
• Establish a Microsoft 365 compromise playbook. Password resets are not enough. The process should include revoking sessions, invalidating refresh tokens, reviewing sign ins, checking mailbox rules, reviewing file access, and confirming whether data was accessed or exfiltrated.
• Train users on device code phishing specifically. Employees should understand that a legitimate Microsoft page can still be part of a malicious workflow if they were tricked into entering a code.

The practical takeaway for business leaders is straightforward. MFA remains necessary, but it should not be treated as the entire identity security strategy. Businesses need to know which authentication flows are allowed, which users carry the most risk, which logs are available, and how quickly access can be revoked during a suspected compromise.

Kali365 is important because it reflects where account takeover risk is going. Attackers are targeting tokens, sessions, OAuth flows, and cloud identity controls because that is where modern business access lives. It is another sign that identity security is becoming one of the most important indicators of cyber loss potential for SMBs.

Definitions

OAuth Access Tokens: OAuth access tokens are digital permissions that allow an application or session to access Microsoft 365 services without repeatedly asking for the user’s password. If an attacker obtains a valid token, they may be able to access email, files, Teams, SharePoint, or other Microsoft 365 resources until that access is revoked or expires.

Microsoft Workflow: A Microsoft workflow is a legitimate Microsoft process used to authenticate a user, approve access, connect a device, or authorize an application. Attackers abuse these workflows because the user may see a real Microsoft page and assume the request is safe. The page can be legitimate while the reason for using it is malicious.

Device Code Flow: Device code flow is a Microsoft authentication method commonly used when a device does not have an easy way to enter a username and password, such as a smart TV, printer, or command line tool. The user is given a code and asked to enter it on a Microsoft verification page. In a phishing attack, the attacker tricks the user into entering a code that authorizes the attacker’s session.

Conditional Access: Conditional Access is a Microsoft Entra control that allows organizations to set rules for when and how users can access Microsoft 365. These rules can consider factors such as user risk, device compliance, location, application, and account type. Properly configured Conditional Access can help block risky authentication flows, restrict unmanaged device access, and apply stronger controls to high-risk users.

Additional Reading:

• https://www.ic3.gov/PSA/2026/PSA260521
• https://learn.microsoft.com/en-us/entra/identity/devices/protecting-tokens-microsoft-entra-id
• https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-authentication-flows

Contact us today to learn more about our Active Defense services.