Overview
- Security officials say Kali365, first seen in April, automates phishing by sending emails that instruct victims to paste a device code into a legitimate Microsoft verification page, which hands attackers the OAuth access and refresh tokens they need to access accounts without a password.
- Researchers reported hundreds of attacks using the kit in April and investigators say the platform is marketed on Telegram with subscription pricing reported at roughly $250 per month or $2,000 per year.
- Captured tokens let intruders read and send email, join Teams chats, and open OneDrive files without triggering standard multifactor checks, creating persistent access that can be used for data theft and follow‑on phishing from compromised accounts.
- The FBI recommends immediate steps such as auditing and blocking device‑code flows with conditional access policies, deploying phishing‑resistant multi‑factor methods, reviewing active sessions and inbox rules, and reporting incidents to the Internet Crime Complaint Center (IC3).
- Security experts warn Kali365 shows how phishing‑as‑a‑service and AI‑generated lures lower the skill needed for large campaigns, increasing the chance ordinary users and businesses will face targeted token‑capture attacks unless defenses and user training are strengthened.