The FBI is warning that the Kali365 phishing-as-a-service platform is helping attackers hijack Microsoft 365 and Entra accounts by abusing OAuth device code authentication to steal session tokens and bypass MFA. Researchers say the service is widely used in campaigns that capture browser sessions and tokens, giving threat actors access to mailboxes, cloud apps, and victim environments. #Kali365 #Microsoft365 #MicrosoftEntra #ShinyHunters #ArcticWolf
Keypoints
- Kali365 emerged in April 2026 and is sold through Telegram channels.
- The platform abuses OAuth device code authentication to steal session tokens.
- Victims are tricked into entering a code at Microsoftβs device login page.
- Attackers gain access to Microsoft 365, Entra, and other SaaS applications.
- The FBI urges organizations to block device code flows and report incidents.