Kali365 PhaaS bypasses Microsoft 365 MFA via OAuth device code

What happened

Kali365 is a PhaaS (phishing-as-a-service — a criminal platform that rents ready-to-use phishing infrastructure) that the FBI is now actively tracking. Its specialty: compromising Microsoft 365 accounts without ever touching the password.

The vector is *OAuth (a protocol that delegates app access without exposing credentials) device code flow*. This flow exists to authenticate screenless devices — smart TVs, gaming consoles. The user visits a portal, enters a short code, and approves access. Kali365 generates that code, sends a phishing link to the victim disguised as a legitimate Microsoft notification, and waits for approval.

Once approved, the attacker receives a valid *access token* and *refresh token*. Full access to email, Teams, and SharePoint — no password needed, no second factor required. MFA (multi-factor authentication — a second verification step) doesn't block this because the user explicitly approved the flow, even if unknowingly.

Why it matters

The *device code flow* is enabled by default in every Microsoft 365 tenant that hasn't explicitly restricted it. Most haven't.

The result: a long-lived token that doesn't expire when the password is reset. The victim changes their password, thinks they're safe, and the attacker is still inside.

Kali365 lowers the barrier to entry as far as possible: web panel, sector-specific lure templates, criminal tech support. Any actor with zero technical skills can run mass campaigns against enterprises.

The real impact goes beyond initial access. From a compromised M365 account, attackers can move laterally through Teams (send convincing internal phishing), access SharePoint (exfiltrate confidential documents), and reuse the token to compromise OAuth-connected services. One token, multiple attack surfaces.

What to do

• Disable device code flow in Azure AD / Entra ID via Conditional Access. If your organization doesn't use screenless devices, there's no reason to leave this enabled.
• Create a Conditional Access Policy blocking `urn:ietf:params:oauth:grant-type:device_code` except for explicitly authorized and managed groups.
• Audit the last 30 days of sign-ins filtering by `authenticationMethodsUsed = deviceCode` in Entra ID Sign-in logs. Any unexpected entry is a compromise signal.
• Hunt active suspicious tokens: review active sessions for privileged users in the Entra ID panel and revoke anything you don't recognize.
• Train your team: no legitimate Microsoft process asks users to approve a device code via email. That pattern is always phishing, no exceptions.

Abusing OAuth flows instead of credentials has been growing for years — APT29 (APT: a nation-state-sponsored hacker group) used this exact technique against European governments in 2021. Kali365 democratizes it. The root problem isn't the technique: it's that defenders still treat MFA as a silver bullet while attackers have been routing around it for years.