← All articles

FBI-flagged Kali365 phishing-as-a-service expands reach - Microsoft 365 OAuth device-code consent abuse grows beyond April campaigns

Dark Reading reports that Kali365 - the phishing-as-a-service platform the FBI flagged for fueling Microsoft 365 attacks in April - is expanding its reach. Rather than stealing passwords, Kali365 captures OAuth access and refresh tokens by tricking victims into completing attacker-initiated Microsoft device-login requests, granting immediate mailbox access. The service generates branded lures impersonating Adobe, DocuSign, and SharePoint in many languages and sells in tiers from $250 for 30 days to $2,000 annually. Its continued growth signals that OAuth device-code consent phishing remains a high-yield technique, and that defenders should prioritize blocking device-code flows for non-mobile platforms and enforcing phishing-resistant MFA across Microsoft 365 tenants.

Check
Search Microsoft 365 logs for unfamiliar device-login completions and OAuth consent grants. Hunt for inbox rules hiding security alerts. Block Adobe/DocuSign/SharePoint-themed device-code lures.
Affected
Microsoft 365 tenants where users can complete attacker-initiated device-login flows. Kali365's branded multi-language lures and tiered pricing keep OAuth device-code phishing scalable and growing.
Fix
Block device-code flow in Conditional Access for non-mobile platforms. Enforce phishing-resistant FIDO2 MFA. Train users to verify device-login codes. Audit OAuth-granted apps regularly.