Device Code Phishing: FBI Issues Alert on Kali365 PhaaS Platform

The enterprise threat landscape has witnessed a tectonic shift, one where the reliance on stealing traditional credentials has rapidly degraded in favor of advanced identity-based subversions. On May 21, 2026, the Federal Bureau of Investigation (FBI) and the Internet Crime Complaint Center (IC3) issued a joint Public Service Announcement (Alert Number: I-052126-PSA) warning organizations of a highly sophisticated Phishing-as-a-Service (PhaaS) platform named Kali365. This newly identified, Telegram-distributed toolkit completely bypasses multi-factor authentication (MFA/2FA) protocols through a malicious tactic known as device code phishing. Rather than executing complex adversary-in-the-middle (AiTM) proxying or stealing passwords, the threat actors behind Kali365 exploit built-in, legitimate Microsoft identity protocols, rendering traditional email gateways and endpoint security measures completely blind.

First spotted in April 2026, Kali365 represents a commercialized evolution of identity theft. For a subscription fee managed via encrypted chat platforms, even low-skilled cybercriminals can access a turn-key suite of tools designed to compromise highly secure corporate Microsoft 365 tenants. The danger of this toolkit lies in its abuse of a core, trust-based authentication protocol designed for convenience: the OAuth 2.0 Device Authorization Grant flow.

The Mechanics of OAuth 2.0 Device Flow

To understand why Kali365 is so uniquely destructive, it is necessary to examine the underlying technology it abuses. The OAuth 2.0 Device Authorization Grant (defined in RFC 8628) was originally engineered for input-constrained devices that lack a rich user interface or a native web browser—such as smart TVs, video conferencing hardware, media players, and command-line interface (CLI) tools.

When an input-constrained device needs access to a cloud service like Microsoft 365, the standard authentication flow proceeds as follows:

• Requesting a Code: The device contacts the identity provider (e.g., Microsoft’s authentication endpoint) and requests a unique user code and verification URI.
• Displaying the Instructions: The device displays the user code (typically an 8-character alphanumeric string) and instructs the user to open a browser on another device, such as a workstation or smartphone, and navigate to the verification URI (such as microsoft.com/devicelogin).
• User Authentication: The user visits the official URL, enters the displayed code, and signs in using their standard credentials, completing any required MFA/2FA challenges.
• Token Issuance: Back on the input-constrained device, a polling mechanism detects that the user has successfully authorized the code. The identity provider then issues an OAuth access token and a refresh token directly to the polling device.

Kali365 subverts this highly trusted chain. Instead of an input-constrained office device requesting the code, the threat actor’s automated infrastructure requests it. The attacker then uses social engineering to trick the victim into entering this attacker-controlled code into their legitimate corporate portal, unknowingly hand-delivering complete, authenticated sessions directly to the adversary.

How Device Code Phishing Exploits the Human-in-the-Middle

The operational lifecycle of a Kali365 campaign is highly automated, leveraging modern artificial intelligence to orchestrate campaigns with localized precision. The attack unfolds across four distinct phases:

1. The AI-Generated Lure

Kali365 provides subscribers with built-in, generative AI tools configured to write flawless, contextually relevant phishing emails. Because these templates impersonate internal administrative notifications—such as mandatory security updates, shared OneDrive documents, or Microsoft Teams invitations—they lack the grammatical errors and suspicious context that typically alert savvy employees. The email instructs the victim that a secure, encrypted document or service must be verified by entering an authorization code at a legitimate Microsoft login page.

2. The Legitimacy Illusion

Unlike traditional credential-harvesting phishing campaigns, there are no spoofed domain names, look-alike landing pages, or malicious proxy servers involved. The victim is directed to the genuine, official Microsoft device authorization portal (e.g., https://microsoft.com/devicelogin). Because the domain is legitimate, security solutions utilizing domain reputation scores, Secure Email Gateways (SEGs), and built-in browser safeguards like Microsoft SmartScreen do not trigger warning banners. The user sees a fully trusted, green-locked Microsoft URL.

3. Unwitting Authorization

The victim, believing they are accessing a business-critical file or system update, inputs the 8-digit code provided in the phishing email. They are then prompted by Microsoft’s legitimate authentication system to log in. The victim provides their corporate username and password, and they successfully complete their standard multi-factor authentication challenge (such as a hardware key, authenticator app push notification, or FIDO2 key). Because the user is interacting with Microsoft’s real authentication servers, the MFA challenge is valid, and the login succeeds perfectly.

4. Token Hijacking & Persistent Access

Once the victim completes the MFA prompt, Microsoft’s authorization servers recognize that the login session tied to that specific device code is now fully authenticated. The server immediately issues OAuth access and refresh tokens. Kali365’s backend, which has been polling Microsoft’s API for authorization status, intercepts these tokens. The attacker now possesses a persistent session. Armed with these stolen tokens, the adversary can access the compromised Microsoft 365 environment—including Outlook, Teams, OneDrive, and SharePoint—directly from their own infrastructure. They bypass any future MFA prompts and maintain access even if the user changes their password.

Why Traditional Defenses Offer Zero Protection

The primary reason the FBI and IC3 issued their urgent warning is that device code phishing entirely neutralizes standard enterprise defensive postures. Traditional cyber defenses are engineered to detect anomalies in URLs, analyze domain registrations, or catch malicious payloads. However, Kali365 sidesteps these checkpoints entirely:

• No Malicious Infrastructure: The victim never visits a malicious web domain. All authentication traffic occurs directly on genuine Microsoft servers.
• Authentic MFA Completion: The user is not tricked into typing their MFA code into a proxy. They complete the authentic push notification or SMS verification on their own phone, validating the session within the legitimate directory.
• Bypassing Password Resets: Because the attacker relies on OAuth tokens rather than credentials, standard incident response protocols like forcing a simple password reset will not terminate the attacker’s active session. The refresh tokens remain valid until manually revoked.

This dynamic leaves organizations highly vulnerable, especially as the barrier to entry drops. Cybercriminals operating through Telegram do not need deep technical expertise; they rely on Kali365 to manage the session polling, token collection, and victim tracking from a unified dashboard.

Mitigation & Prevention Tactics for Enterprise Defenders

Securing an organization against Kali365 and related PhaaS toolkits requires moving beyond legacy perimeter defenses. Security teams must implement aggressive architectural and identity-level controls to restrict and monitor the OAuth Device Flow.

1. Enforcing Strict Conditional Access Policies (CAPs)

The most effective line of defense is to systematically disable or heavily restrict the device code flow across the entire tenant. IT administrators should utilize Microsoft Entra ID (formerly Azure AD) Conditional Access Policies to block the device code flow for all users by default. If certain business processes—such as dedicated meeting room systems or smart TV displays—strictly require this flow, organizations should isolate those devices to specialized, heavily audited service accounts with zero access to standard mailbox data, SharePoint directories, or administrative privileges.

2. Restricting Authentication Session Transfers

Organizations must prevent policies that allow users to transition active login sessions from secured, managed corporate workstations to unmanaged personal or mobile devices. By enforcing device compliance policies, administrators can guarantee that tokens are only issued to devices that are explicitly registered, compliant, and managed via Mobile Device Management (MDM) platforms such as Microsoft Intune.

3. Implementing Identity Threat Detection and Response (ITDR)

Because stolen tokens allow threat actors to operate as “trusted” insiders, security operations centers (SOCs) must establish continuous detection baselines. ITDR solutions should be configured to flag the following telemetry anomalies:

1. Anomalous Device Sign-ins: Detect logins initiating from unfamiliar IP ranges, autonomous system numbers (ASNs), or geographical areas that conflict with the user’s physical location (impossible travel).
2. Protocol-Specific Auditing: Run regular audits on sign-in logs specifically looking for the “Device Code” authentication protocol (App ID: 0000000c-0000-0000-c000-000000000000).
3. Unusual User-Agent Strings: Monitor for unexpected API calls, PowerShell scripts, or non-browser user agents accessing corporate mailboxes and document repositories.

4. Rapid Token Revocation Procedures

When an anomalous session is detected, speed is critical. Response playbooks must be updated to ensure that incident responders do not just reset the compromised user’s password. Security teams must instantly revoke all active OAuth refresh and access tokens for the targeted account. In Entra ID, this can be executed via the Microsoft Entra admin center or programmatically using Microsoft Graph PowerShell:

Revoke-MgUserSignIdSession -UserId "user@yourdomain.com"

5. Focused User Awareness and Training

Traditional anti-phishing training teaches employees to inspect URLs, check sender domains, and look for typos. This training fails against device code phishing. Organizations must update their training modules to emphasize one simple rule: Never enter an alphanumeric code on a login page unless you initiated the authentication request from a physical device you are actively configuring. Users must treat out-of-band device code prompts with the same level of suspicion as an unexpected MFA push notification.

Conclusion

The emergence of Kali365 marks a mature phase in identity-centric cybercrime. By packaging highly effective social engineering with automated OAuth token hijacking, PhaaS platforms have successfully turned legitimate authentication protocols into entry points for corporate compromise. Standard boundaries of security—firewalls, secure gateways, and standard MFA—are no longer enough. To withstand the rise of device code phishing, organizations must aggressively enforce strict Conditional Access limits, adopt continuous identity threat monitoring, and educate their workforce on the hidden dangers of the device authorization flow.