Kali365: Phishing Techniques to Bypass MFA and Compromise Microsoft 365 Accounts
The victim never sees a fake login page. No lookalike domain, no suspicious redirect, no certificate warning. They click a link in an email, land on microsoft.com, complete MFA exactly as they would for any normal sign-in, and hand the attacker persistent access to their Outlook, Teams, and OneDrive. That is the device code phishing attack that Kali365 has packaged into a $250/month subscription service on Telegram.
Caption: Large-scale phishing network infrastructure characteristic of modern PhaaS platforms
Executive Summary
In late May, FPT noted that leading global cybersecurity experts issued the official advisory PSA I-052126-PSA regarding Kali365, a Phishing-as-a-Service (PhaaS) platform first identified in April 2026. The platform is primarily distributed via Telegram and is reportedly priced at approximately USD 250 per month or USD 2,000 per year. By leveraging Kali365, even low-skilled threat actors can orchestrate large-scale campaigns targeting Microsoft 365 accounts.
What sets Kali365 apart from conventional phishing kits is what it does not steal: passwords and MFA codes. Instead, the platform abuses Microsoft's legitimate OAuth 2.0 device authorization flow to capture access and refresh tokens directly. Those tokens provide persistent access to Outlook, Teams, OneDrive, and SharePoint without any additional authentication, for weeks or months after the initial compromise.
Any organization or individual using Microsoft 365 is in scope. Arctic Wolf documented campaigns impacting multiple industries and regions within weeks of Kali365's emergence. The platform has since expanded beyond Microsoft 365 to target Okta SSO, Xerox DocuShare, and Russian platforms including MAX Messenger, with 126 malicious hosts confirmed in June 2026.
Priority action: Create a Conditional Access Policy in Microsoft Entra ID to block device code flow for all users except where there is a documented legitimate business need. This single control removes the primary attack vector.
Background: From State-Sponsored APT to $250/Month Subscription
Device code phishing is not new in 2026. What is new is who is running it and at what price point.
In February 2025, Microsoft publicly disclosed an active campaign by Storm-2372, assessed with moderate confidence as aligned with Russian state interests. The group had been operating since at least August 2024, targeting governments, NGOs, defense contractors, telecom providers, energy organizations, and healthcare entities across Europe, North America, Africa, and the Middle East. Volexity concurrently identified two additional Russia-affiliated clusters, UTA0304 and UTA0307, using the same technique, suggesting knowledge-sharing rather than independent parallel development within the Russian intelligence community.
The technique did not stay contained. Proofpoint documented a sharp volume increase in device code phishing activity beginning September 2025. A financially motivated actor tracked as TA2723 had adopted the method by October 2025. Then in February 2026, EvilTokens launched publicly on Telegram as a full PhaaS offering, marking the technique's first complete commoditization. Kali365 followed in April 2026 with broader language support, a three-tier affiliate panel, and AI-assisted lure generation, competing directly with EvilTokens in what has become an active market.
The 18-month trajectory from nation-state APT to commodity subscription service is the structural story. Some earlier MFA bypass techniques took two to three years to reach this level; device code phishing compressed that timeline significantly. The acceleration matters because it shortens the window between "technique documented by researchers" and "low-skill operators deploying it at scale."
Campaign Overview
| Attribute | Details |
|---|---|
| Platform Name | Kali365 (also K365) |
| Type | Phishing-as-a-Service (PhaaS) |
| First Observed | April 2026 |
| Distribution Channel | Telegram |
| Pricing | ~\(250/month or \)2,000/year |
| Core Technique | OAuth 2.0 Device Authorization Grant (RFC 8628) abuse |
| Primary Targets | Microsoft 365 accounts (Outlook, Teams, OneDrive, SharePoint) |
| Expanded Targets | Okta SSO, Xerox DocuShare, LiveDrive, Mail.ru, MAX Messenger, Yandex Disk |
| Language Support | 14 languages (English, French, German, Arabic, Chinese, Russian, Japanese, Korean, etc.) |
| Confirmed Infrastructure | 216.203.20[.]95 and 126 malicious hosts (Arctic Wolf, June 2026) |
| Panel Architecture | Three-tier: admin / agent (reseller) / client |
| Official Warning | FBI PSA I-052126-PSA, May 21, 2026 |
Campaign Timeline
| Date | Event |
|---|---|
| August 2024 | Storm-2372 begins device code phishing against government, NGO, and defense targets |
| February 2025 | Microsoft discloses Storm-2372; Volexity identifies UTA0304 and UTA0307 using same technique |
| September 2025 | Proofpoint documents sharp volumetric increase; technique spreads to financially motivated actors |
| October 2025 | TA2723 (financially motivated) adopts device code phishing at scale |
| February 16, 2026 | EvilTokens PhaaS launches on Telegram; first full commoditization of the technique |
| March 2026 | Huntress documents "Riding the Rails" campaign (340+ organizations in five countries) |
| April 2026 | Kali365 emerges; Arctic Wolf begins tracking large-scale campaigns using the platform |
| April 24, 2026 | Arctic Wolf publishes "Token Bingo" technical analysis of Kali365 |
| May 21, 2026 | FBI issues PSA I-052126-PSA warning about Kali365 |
| May 27, 2026 | Malwarebytes publishes extended technical analysis |
| June 2026 | Arctic Wolf confirms Kali365 expansion to Okta, MAX Messenger; 126 malicious hosts identified |
How the Attack Works
Stage 1: Lure Construction
The attacker calls Microsoft's device authorization endpoint, receiving a user_code (a short alphanumeric string), a device_code, a verification URI (https://microsoft.com/devicelogin), and a fifteen-minute validity window. That user_code gets embedded into a phishing email impersonating Adobe Acrobat Sign, DocuSign, or a SharePoint document share. The email instructs the recipient to visit the Microsoft verification page and enter the code to access a document.
Kali365 generates these lures using AI assistance in 14 languages, calibrated to bypass spam filters and corporate email gateways. The emails contain no suspicious URLs, no lookalike domains, no credential harvesting forms. Every link points to microsoft.com. URL inspection, certificate verification, and domain reputation checks produce no signal.
Stage 2: Victim Authentication
The recipient visits https://microsoft.com/devicelogin, enters the user_code, and completes a standard Microsoft sign-in flow including MFA. The page is real, the certificate is valid, and the organization's branding appears exactly as expected. The user sees nothing anomalous at any point.
The technical core of the attack: when the user completes authentication, they are authorizing the attacker's device, not their own. MFA is successfully completed by the victim, but the resulting token flows to the attacker's session. No fake page was ever involved.
Stage 3: Token Capture and Persistence
Kali365 captures OAuth access and refresh tokens. Access tokens provide roughly 90 minutes of direct Microsoft Graph API access to Exchange Online, OneDrive, SharePoint, and Teams. Refresh tokens persist up to 90 days and self-renew each time they are exchanged for a new access token, meaning a single successful compromise can sustain silent persistent access for months with no further interaction with the victim.
In advanced scenarios, attackers specifically target the Microsoft Authentication Broker client ID. The resulting refresh tokens enable registering an attacker-controlled device in Microsoft Entra ID, producing Primary Refresh Tokens (PRTs) that provide single sign-on across all Microsoft 365 services and survive password resets.
Stage 4: Post-Compromise Exploitation
With a valid refresh token, the attacker uses Microsoft Graph API to access mailbox contents, download OneDrive files, and harvest contacts and calendar data. Password reset emails receive particular attention, as they enable lateral account takeovers into connected services.
The compromised Outlook account becomes a propagation platform. Emails sent from a legitimate address with genuine conversation history pass through email security controls that would block external attacker messages. Each compromised account materially expands campaign reach into the victim's network of colleagues, partners, and customers.
Technical Deep Dive
OAuth 2.0 Device Authorization Flow (RFC 8628)
The device authorization grant was designed for input-constrained devices: smart TVs, printers, conferencing systems, IoT devices that cannot complete a standard browser-based login. A secondary device with a browser completes authentication using a short code. Kali365 substitutes its own C2 infrastructure in the role of the "input-constrained device."
Nothing in the authentication protocol itself is being exploited in the classic sense. Microsoft's authorization server operates exactly to specification. The attack succeeds because the user has no contextual signal that the device code they are entering was generated for an attacker's session rather than their own device.
C2 Infrastructure and Panel Architecture
Arctic Wolf's initial analysis pivoted from IP address 216.203.20[.]95 to identify additional infrastructure sharing an identical TLS certificate. All hosts run the same deployment shape: a reverse proxy on TCP/8443 terminating TLS, forwarding to rotating phishing domains. Three IP addresses accounted for approximately 84% of observed campaign events.
The Kali365 panel operates across three tiers: admin at the top, agents (likely resellers or affiliates) in the middle, clients at the bottom. This is consistent with established PhaaS business models and means the actual Kali365 operator may be several layers removed from individual campaign operators, complicating attribution and takedown efforts.
By early June 2026, Arctic Wolf had identified 126 malicious hosts running the same kit infrastructure, impersonating Microsoft Outlook, Okta SSO, Xerox DocuShare, LiveDrive, GMX, Mail.ru, Yandex Disk, and Odnoklassniki.
Expansion to Okta and MAX Messenger
The same operator's expansion to MAX Messenger (Russia's state-backed national messaging platform) provides operational insight. A fake "prize claim" page at greatness-marketing[.]top collected Russian phone numbers, real MAX OTPs, and 2FA codes in real time, forwarding everything to Telegram bot @NovosibyrskyMoneyBot. Each compromised MAX account then propagated the same lure to its entire contact list, turning each victim into a distribution node.
The geographic targeting signals, Odnoklassniki, Yandex, MAX Messenger, suggest the operator has specific interest in Eastern European targets alongside the global Microsoft 365 campaign. The Okta expansion is the development to watch most closely: a compromised Okta session is often a master key to dozens of enterprise applications, not one productivity suite.
MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique Name | Campaign Implementation |
|---|---|---|---|
| Initial Access | T1566.001 | Phishing: Spearphishing Attachment | Emails impersonating Adobe Acrobat Sign, DocuSign, SharePoint with embedded device codes |
| Initial Access | T1566.002 | Phishing: Spearphishing Link | Links to legitimate microsoft.com/devicelogin |
| Credential Access | T1528 | Steal Application Access Token | OAuth access and refresh tokens captured via device code flow |
| Defense Evasion | T1550.001 | Use Alternate Authentication Material: Application Access Token | Stolen tokens used instead of credentials for persistent access |
| Defense Evasion | T1036 | Masquerading | Impersonation of DocuSign, SharePoint, Adobe in lure emails |
| Persistence | T1078.004 | Valid Accounts: Cloud Accounts | Refresh tokens with 90-day validity self-renew on use |
| Collection | T1114.002 | Email Collection: Remote Email Collection | Mailbox access via Microsoft Graph API |
| Collection | T1213.002 | Data from Information Repositories: SharePoint | OneDrive and SharePoint file access |
| Discovery | T1087.003 | Account Discovery: Email Account | Contact list and calendar harvesting for lateral phishing |
| Lateral Movement | T1534 | Internal Spearphishing | Phishing from compromised accounts to colleagues and partners |
| Command and Control | T1102 | Web Service | Telegram bot C2 in MAX Messenger variant |
Detection
Primary Detection Surface: Entra ID Sign-in Logs
The highest-fidelity detection signal is authenticationProtocol=deviceCode in Microsoft Entra ID sign-in logs. Most enterprise environments have no legitimate use for device code flow. Organizations in that category should treat any occurrence as a high-priority alert.
Splunk SPL: Azure AD Device Code Authentication (Splunk ESCU, ID: d68d8732-6f7e-4ee5-a6eb-737f2b990b91)
`azure_monitor_aad` category=SignInLogs "properties.authenticationProtocol"=deviceCode
| rename properties.* as *
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src vendor_account vendor_product user_agent category
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_device_code_authentication_filter`
Splunk SPL: Bulk Graph API Activity Post-Authentication
index=* sourcetype="azure:monitor:aad" category=NonInteractiveUserSignInLogs
| eval app_name=mvindex('properties.appDisplayName', 0)
| where app_name="Microsoft Graph"
| stats count by user, src, _time
| where count > 50
| eval risk_score=if(count>200, "HIGH", "MEDIUM")
| sort -count
KQL: Microsoft Sentinel
SigninLogs
| where AuthenticationProtocol == "deviceCode"
| project TimeGenerated, UserPrincipalName, IPAddress, Location, UserAgent, AppDisplayName
| order by TimeGenerated desc
Behavioral Signals for Threat Hunting
Beyond the direct device code flow signal, several behavioral indicators are worth hunting. The User-Agent string python-requests/2.25.1 appearing in Entra ID sign-in logs is a fingerprint of Kali365's token polling infrastructure, per Cloud Security Alliance research. Sign-ins originating from VPS providers, Tor exit nodes, or commercial VPN services immediately following a device code authentication event warrant investigation. Bulk Microsoft Graph API mailbox reads or file downloads within a short window of a first-time authentication event are strong post-compromise indicators. Unexpected device registration events in Entra ID from atypical IP addresses should be treated as high-priority, particularly given the PRT escalation path described above.
Remediation for Confirmed Compromise
Revoking refresh tokens alone is insufficient if the attacker has registered a device and obtained PRTs. The complete remediation sequence is: revoke all active sessions for the affected user via Entra ID, remove unauthorized registered devices from the tenant, require re-authentication, audit the mailbox for unauthorized forwarding rules, and review all OAuth application consent grants across the tenant for unexpected third-party access.
Analysis
Kali365 is not technically novel. Device code phishing is a documented technique against a known weakness in a protocol that has existed since 2019. Microsoft has published mitigation guidance for years. What Kali365 represents is not a new attack but a new industry.
Kali365, EvilTokens, and the Tycoon2FA device-code variant constitute an active, competitive PhaaS market purpose-built to operate after MFA. AI-generated lures, automated campaign templates, real-time tracking dashboards, and three-tier reseller architecture turn what once required patience and operational security expertise into something a low-skill operator can deploy the same day they subscribe. Microsoft's VP of Security Research told The Register in May 2026 that the company was observing hundreds of compromises daily across affected environments, with each campaign distributing highly varied payloads to complicate pattern-based detection.
The MFA calculus has shifted in a specific and important way. MFA verifies that the person completing authentication is who they claim to be. It does not verify that the authentication is for the user's own device. Device code phishing exploits exactly this gap. Organizations that have built security messaging around "enable MFA to stop phishing" need to refine that frame. Conditional Access policies that evaluate device compliance, network location, and session context are what close this gap, not MFA alone. The phrase "MFA-resistant authentication" (FIDO2, hardware tokens) is accurate; every push-based, OTP-based, and SMS-based MFA scheme is bypass-compatible with this technique because the user completes MFA correctly.
Finally, the expansion to Okta deserves a separate risk assessment for any organization using Okta as their SSO gateway. A successful device code phishing attack against Okta credentials provides access to every application behind that SSO, not just one productivity suite. The blast radius per compromised identity is materially larger.
Recommendations
Immediate (0-24 hours): Audit Microsoft Entra ID Conditional Access policies for a rule blocking device code flow. If none exists, create one with condition Authentication flow: Device code flow and action Block, with exceptions only for documented legitimate processes. Before enforcing, baseline existing device code flow usage to avoid disrupting conference room AV systems, printers, or other input-constrained devices. Also block authentication transfer policies in Entra ID as a complementary control.
If suspicious events have already occurred, revoke all active sessions for affected accounts, remove unauthorized registered devices, require re-authentication, and conduct a mailbox audit for unauthorized rules.
Short-term (1-7 days): Deploy Splunk ESCU detection rule ID d68d8732 or the equivalent for your SIEM, with supplementary alerting for bulk Graph API activity and unexpected device registrations. Add detection for the confirmed C2 IP 216[.]203[.]20[.]95 at the perimeter, while noting that 126 additional hosts exist and the infrastructure rotates. Update security awareness training to explicitly cover the device code phishing pattern with the emphasis that users should only enter device codes when they personally initiated a sign-in on their own device, not in response to an email request.
Long-term: Catalog all devices in the environment using device code flow for legitimate purposes. Many organizations discover undocumented conference room devices and legacy IoT appliances only when building a blocking policy, and they complicate enforcement without prior inventory. Enable Continuous Access Evaluation (CAE) in Entra ID to shorten effective access token lifetime and reduce the exploitation window. Incorporate OAuth application consent grant reviews into periodic security assessment cycles.
The threat model adjustment is direct: shift detection investment from "MFA failure events" toward "device code flow usage outside established baseline." The former is a lagging indicator against this attack class; the latter is the primary signal.
Indicators of Compromise
# IP Address (defanged)
216[.]203[.]20[.]95 # Kali365 C2 infrastructure, confirmed by Arctic Wolf (April 2026)
# Domain (defanged)
greatness-marketing[.]top # Fake prize claim page / MAX Messenger phishing variant (June 2026)
# Telegram C2
@NovosibyrskyMoneyBot # Telegram bot for real-time credential capture (MAX variant)
# User-Agent (network indicator)
python-requests/2.25.1 # Kali365 token polling traffic fingerprint (per CSA research)
# Behavioral IOCs
authenticationProtocol=deviceCode in Entra ID SignInLogs from unexpected users or locations
Microsoft Graph bulk mailbox access (>50 API calls within short window) via non-interactive session
New device registration in Entra ID from IP outside organizational baseline
Post-authentication sign-in activity from VPS, Tor exit node, or commercial VPN infrastructure
Note: Arctic Wolf identified 126 total malicious hosts as of early June 2026. The full host list is not publicly available at time of writing. Consult Arctic Wolf's threat intelligence feed for an updated list.
References:
- Kali365 phishing kit bypasses MFA and steals Microsoft logins — Malwarebytes / Pieter Arntz
- Kali365 Phishing-as-a-Service Kit Hijacks Microsoft 365 Access Tokens — FBI Internet Crime Complaint Center (IC3)
- Token Bingo: Don't Let Your Code be the Winner — Arctic Wolf Labs
- From Token Bingo to MAX Takeover: Kali365 Operator Expands Operation — Arctic Wolf Labs
- Storm-2372 conducts device code phishing campaign — Microsoft Security Blog
- OAuth Device Code Phishing Hits 340+ Microsoft 365 Organizations — Cloud Security Alliance Labs
- Detection: Azure AD Device Code Authentication — Splunk Security Research
- FBI warns of Kali365 as device code phishing soars — The Register
- Kali365 PhaaS Operation Expands Beyond Microsoft 365 — CyberSecurityNews
