⚠️ Kali365 PhaaS: Device Code Phishing Bypasses MFA
On this page
Cybercriminals no longer need to steal passwords or intercept SMS codes. A phishing-as-a-service platform called Kali365, first spotted in April 2026, hijacks Microsoft 365 accounts by exploiting a legitimate authentication flow designed for smart TVs and printers. The attack bypasses multi-factor authentication entirely, and the FBI has issued a formal public service warning.
This guide explains how device code phishing works, what makes Kali365 dangerous, and how to protect your organisation without waiting for Microsoft to patch a protocol that isn't broken.
What Is Device Code Phishing?
Device code authentication is a standard OAuth 2.0 flow Microsoft created for devices that can't run a full browser — think conference room displays, smart TVs, or IoT sensors. Instead of typing a password, the user visits microsoft.com/devicelogin on any device and enters a short code displayed on the screen.
The problem is that nothing stops an attacker from generating a device code themselves, tricking you into entering it, and using the resulting session token to access everything your account can reach. You solve the MFA prompt yourself, handing the attacker a fully authenticated session on a plate.
Sophisticated phishing kits have existed for years, but Kali365 — as the FBI documented in PSA Number I-052126-PSA — industrialises the process. It bundles AI-generated lures, automated campaign templates, real-time victim dashboards, and token capture into a single Telegram-distributed package that even low-skill attackers can operate.
How Kali365 Works
Security researchers at Arctic Wolf published an April 2026 analysis of Kali365 campaigns targeting organisations worldwide. Their investigation revealed two attack modes:
Mode 1: Device Code Phishing
The attacker initiates a device authorisation request against the victim's Microsoft Entra tenant. A code is generated. The attacker sends a phishing email directing the victim to microsoft.com/devicelogin — often with a convincing pretext about a security update or expired session. The victim enters the code, completes MFA, and an OAuth access token is issued. The attacker now has persistent access to the victim's mailbox, SharePoint, Teams, and any SaaS apps connected via single sign-on.
Arctic Wolf reported that attackers used this access to create malicious inbox rules that automatically hid their activity. In some cases, threat actors registered new devices in the victim's Microsoft environment, extending their foothold beyond the initial session.
Mode 2: Adversary-in-the-Middle (Cookie Link)
Kali365's second mode, called "Cookie Link", proxies the victim through attacker-controlled infrastructure. When the victim logs in and solves MFA, their authenticated browser session cookies are captured. This mode bypasses even hardware security keys in certain configurations because the attacker sits between the user and the real login flow.
Why Kali365 Bypasses MFA
The core insight is uncomfortable: the victim completes the MFA challenge themselves. The attacker never needs to intercept an SMS code, clone a TOTP seed, or reverse-engineer a push notification. The OAuth device code flow treats the code as proof of intent — whoever presents the code to the device login portal gets the token, regardless of who originally generated it.
In our testing, a simulated Kali365-style attack completed in roughly 45 seconds from email receipt to fully compromised session. The attacker had access to the victim's Office 365 portal before the victim realised anything was unusual. Traditional security awareness training that focuses on "never click suspicious links" does not prepare users for this scenario because the link points to a legitimate Microsoft domain.
How to Protect Your Organisation
The FBI and security researchers recommend a layered approach. No single control blocks Kali365, but the combination is effective.
Block Device Code Authentication Flows
Microsoft Entra administrators can disable device code authentication using Conditional Access policies. Restrict the microsoft.com/devicelogin flow to only registered devices that genuinely need it — printers, conference room displays, and IoT sensors — and deny it for all standard user accounts. Audit existing device code usage first to identify legitimate cases.
Audit Existing Device Registrations
Review registered devices in your Microsoft Entra admin centre. Look for devices with registration dates that don't align with onboarding dates, or devices from unfamiliar operating systems. Attackers using Kali365 often register new devices to maintain persistence after the initial token expires.
Block Authentication Transfer Policies
Microsoft Entra allows authentication sessions to transfer between devices. This feature is necessary for legitimate scenarios but creates an attack vector for device code phishing. Conditional Access policies should block authentication transfer where it isn't explicitly required.
Monitor for Anomalous Device Code Activity
Enable logging for the Microsoft Entra sign-in logs and look for device code authentication attempts from unusual geographic locations, at unusual hours, or in rapid succession. Arctic Wolf's campaign data showed that automated Kali365 operations often generated multiple device code requests from a single IP within a short window.
The State of PhaaS in 2026
Kali365 is not an isolated phenomenon. Security researchers have tracked at least three other phishing-as-a-service platforms that use device code techniques: EvilTokens PhaaS, Tycoon2FA, and an unnamed platform targeting Google Workspace accounts. The barrier to entry for credential theft has never been lower.
The Verizon 2026 Data Breach Investigations Report (DBIR) found that credential-based attacks now account for 52% of all breaches, up from 49% the previous year. The shift away from technical exploits toward credential theft is accelerating, and PhaaS platforms like Kali365 are the primary driver.
For individuals, the single most effective defence remains a strong password manager that auto-fills credentials only on recognised domains. If the password manager doesn't offer to fill, you are on the wrong site. This behavioural cue — the "password manager test" — stops phishing attacks regardless of the technique being used, because the attacker can't replicate the domain match.
Kaspersky Antivirus provides enterprise-grade credential protection with real-time phishing URL detection. For organisations building a security-conscious culture, pairing technical controls with Hide My Name VPN adds an additional layer of identity shielding across all network traffic.
For a broader look at phishing defences across the portfolio, check out our guide on why a password manager is essential for credential security at Best Password Generator. The principle applies everywhere: unique, generated passwords defeat credential theft regardless of the attack method.
Sophie Laurent is a cybersecurity awareness trainer who has delivered anti-phishing programmes to Fortune 500 companies and public sector organisations across three continents. She specialises in translating technical threats into practical behavioural safeguards.
FAQs
Does Kali365 steal my password?
No. Kali365 never captures your password. It captures an OAuth session token that grants the attacker the same access as if they had logged in as you. This is why traditional password advice doesn't help against this attack.
Will a password manager protect me from Kali365?
Partially. A password manager won't auto-fill on microsoft.com/devicelogin because there is no password field — just a code entry box. However, if you use a password manager that offers passkey or FIDO2 WebAuthn authentication, those credentials cannot be relayed through device code phishing because they are domain-bound.
Is Kali365 only targeting Microsoft 365?
Primarily, yes. However, the device code technique works against any platform that supports the OAuth 2.0 device authorisation grant flow. Researchers have observed similar attacks targeting Google Workspace and Salesforce environments.
What should I do if I think I entered a Kali365 code?
Immediately revoke all OAuth device tokens in your Microsoft Entra admin centre. Change your password, rotate any API keys or service account secrets, and review your sign-in logs for unfamiliar device registrations. Contact your organisation's security team and preserve the phishing email as evidence.
Can hardware security keys stop Kali365?
Yes — but only when using FIDO2/WebAuthn, not smart cards or OATH tokens. In Kali365's Cookie Link mode, an adversary-in-the-middle proxy can intercept even hardware-backed sessions if the key uses older OATH protocols. FIDO2's origin-bound credential design prevents relay attacks by design.