Technical description
The FBI's Internet Crime Complaint Center (IC3) published PSA260521 on May 21, 2026, warning about Kali365, an emerging Phishing-as-a-Service platform first detected in April 2026. Kali365 uses AI-generated phishing lures, automated campaign templates, and real-time victim-tracking dashboards to enable low-skilled attackers to steal Microsoft 365 OAuth access and refresh tokens by abusing the legitimate OAuth 2.0 Device Authorization (device code) flow. Victims are tricked into entering an attacker-generated device code on Microsoft's legitimate verification page, unknowingly authorising the attacker's device to receive persistent tokens that bypass MFA entirely. Tokens provide access to Outlook, Teams, OneDrive, and any SSO-connected SaaS platforms.
Attack vector
Attacker generates a device code via Microsoft's OAuth Device Authorization Grant flow, sends a phishing email impersonating a cloud productivity service with the code and instructions to visit microsoft.com/devicelogin. Victim completes authentication (and satisfies MFA) at the real Microsoft page; attacker captures the resulting OAuth access + refresh tokens and uses them from their own infrastructure. No password interception or MFA bypass technique required — the legitimate flow is the attack.
Affected systems
Any organisation using Microsoft 365 / Microsoft Entra with device code authentication enabled; particularly high risk for organisations relying on MFA as their sole protection against credential theft. Secondary attack mode ('Cookie Link') uses AitM proxy to capture session cookies.
Mitigation
1) Restrict or block device code authentication flows via Conditional Access policies in Microsoft Entra; 2) Audit existing device code usage and registration logs; 3) Block authentication transfer policies; 4) Deploy phishing-resistant MFA (FIDO2/passkeys) as primary factor; 5) Alert on anomalous OAuth token issuance and new device registrations; 6) Train users to recognise device-code phishing lures (subject lines: 'SharePoint – Document Shared', 'OneDrive – File Shared', 'DocuSign – Signature Required'). Report incidents to ic3.gov.