This article explains Kali365, a new phishing-as-a-service attack that targets Microsoft 365 accounts by abusing device-code login flows and stealing OAuth tokens, why it can bypass multifactor authentication, and practical steps individuals and IT teams can take to detect, prevent, and recover from this kind of account takeover.
Kali365 is a subscription service for crooks that bundles phishing templates, AI-crafted messages, tracking tools and token-capture mechanics into a turnkey attack kit. Instead of stealing passwords the old-fashioned way, it abuses a legitimate sign-in method that many people use every day, making the scam look polished and trustworthy. The result is attackers can gain long-lived access without a password, often after a victim unknowingly approves a device code.
The core trick is the device-code workflow you may have used to sign into a smart TV app or other device. Attackers initiate the sign-in and send a convincing message asking you to approve a code on a real Microsoft verification page. Because the page looks legitimate and may not trigger warnings from password managers or browsers, people can be easily fooled into granting access.
Once that code is entered, the attacker captures OAuth access and refresh tokens that keep the session alive and accessible. Those tokens let criminals reach Outlook, Teams and OneDrive as if they were the account owner, no password required. That gives them the ability to read emails, impersonate colleagues, push fake invoices and harvest sensitive files.
NEW FBI WARNING REVEALS PHISHING ATTACKS HITTING PRIVATE CHATS
This attack is particularly dangerous in workplace settings. A single compromised account can impersonate executives, reply to ongoing threads, request wire transfers or distribute malicious links to trusted contacts. The social engineering element is powerful because the messages come from valid accounts and follow legitimate conversational patterns, so colleagues and vendors may not suspect anything.
There are clear red flags to watch for. If you get an unexpected prompt to enter or approve a Microsoft device code, stop and think. Don’t blindly paste codes from emails, chats or documents that you did not request, and be extra skeptical of messages that create false urgency about expiring documents, pending invoices, or immediate verification requirements.
QR CODE EMAIL SCAM TARGETS EMPLOYEE REVIEWS
Practical habits make a big difference. Only enter a device code when you personally started the sign-in on the device in question, and never follow a random link inside a surprise message — open a fresh browser and navigate to your organization’s Microsoft 365 portal directly. Regularly review recent sign-ins, active sessions and connected apps; unfamiliar locations or devices are a cue to revoke access immediately and change credentials.
IT teams should add technical controls as well as training. Restrict device code flow via conditional access policies and audit existing usage before enforcing blocks so legitimate business processes aren’t disrupted. Blocking authentication transfer and limiting app permissions reduces the attack surface, and emergency access accounts can be excluded to prevent lockouts if handled carefully.
If you suspect you entered a code by mistake, sign everyone out of active sessions, revoke suspicious app authorizations, and change your password right away. Keep multifactor authentication enabled — it still stops many attacks — but teach staff to be cautious about approval prompts and device-code approvals because MFA alone is not foolproof against token-based tricks.
Use reputable antivirus and anti-phishing tools to catch malicious pages and links before they reach users, and consider services that remove your personal data from broker sites to reduce the raw material scammers use for convincing messages. Make this exact scam part of employee security training so people know device codes are not the same thing as passwords and should only be used when expected.
If an account compromise happens, report the incident to the proper authorities and your internal security team with email samples, headers, and any suspicious login details. Move quickly to contain the damage, because token-based access can let attackers linger unnoticed. A few cautious clicks and some simple policies can stop a sophisticated scam from turning a trusted security step into a trap.
