The FBI has issued a public service announcement warning organizations about Kali365, a developing phishing-as-a-service platform that specializes in stealing Microsoft 365 access tokens. This sophisticated tool bypasses multi-factor authentication by exploiting OAuth device code authorizations through phishing lures that impersonate legitimate enterprise services.
The technique allows cybercriminals to gain unauthorized access to Microsoft 365 accounts, potentially leading to severe consequences such as data theft, financial fraud, extortion, and ransomware attacks. The platform provides a simplified method for threat actors to compromise accounts and maintain persistent access to cloud services.
Kali365: A New Threat in Phishing-as-a-Service
Kali365 is representative of a growing trend in device-code phishing tools that are becoming increasingly effective at circumventing security measures. These platforms leverage legitimate Microsoft authorization pages to grant access to malicious applications via a single authorization code. This approach requires fewer user interactions than traditional credential harvesting, making it a more efficient method for attackers.
According to threat researchers, the ease of use and effectiveness of these tools are contributing to their rapid proliferation. Platforms like Kali365 are designed to lower the barrier to entry for less technically skilled attackers, offering automated campaign templates, AI-generated phishing lures, and real-time tracking dashboards.
How Device-Code Phishing Works
Unlike older phishing methods that aimed to steal credentials and second-factor codes, device-code phishing redirects users to a legitimate Microsoft login page. The user is then prompted to enter a code, typically copied from the phishing lure, which authorizes a malicious application to access their Microsoft 365 account. This process can appear seamless to the user, especially when combined with convincing impersonation tactics.
Selena Larson, a senior threat researcher at Proofpoint, noted that many of these device-code phishing tools exhibit similar characteristics, utilizing consistent lures, content, and branding, suggesting a shared origin or a highly replicable model. This similarity contributes to the widespread nature of the threat, with Proofpoint researchers observing seven virtually identical device-code phishing tools within a ten-day period.
The FBI indicated that Kali365, in particular, began distributing on Telegram around April. The platform’s offerings include OAuth token capture capabilities, which are critical for maintaining prolonged access without further authentication prompts. This persistent access allows threat actors to move laterally within an organization’s cloud environment.
Implications for Organizations
The impact of compromising Microsoft 365 accounts can be far-reaching. Gaining access to an organization’s identity is a significant advantage for attackers. They can leverage this access to impersonate individuals, steal sensitive data for extortion purposes, commit fraud, or deploy malware.
Researchers at Arctic Wolf Labs, who have also been monitoring Kali365 campaigns, report that the service costs affiliates approximately $250 for 30 days or $2,000 for a year. The captured OAuth access and refresh tokens are stored on the Kali365 platform and can be shared or reused by other cybercriminals, amplifying the potential for damage.
The FBI’s warning underscores the need for organizations to strengthen their defenses against these evolving phishing techniques. Companies should educate their employees about new phishing schemes, implement robust security monitoring, and ensure that their Microsoft 365 security configurations are up-to-date.
The FBI has not provided an end date for its current warning. Organizations are advised to remain vigilant and monitor security advisories for further updates regarding Kali365 and similar threats. The ongoing evolution of phishing-as-a-service platforms highlights the persistent need for adaptive security strategies in the face of sophisticated cyber threats.