The operators of Kali365, a phishing-as-a-service (PhaaS) platform known for facilitating multifactor authentication (MFA) bypass on Microsoft 365 accounts, have recently broadened their infrastructure and target list.
According to a recent report by Arctic Wolf, Kali365 has evolved from a specialized Microsoft-focused toolkit into a more comprehensive credential harvesting platform. The service now targets digital identities across Amazon Web Services (AWS), Okta, Xerox DocuShare, and several prominent Russian online services. Notably, this includes MAX Messenger, a state-backed messaging platform in Russia with an estimated 80 million daily active users.
This infrastructure expansion indicates a deliberate focus on Russian consumer-internet platforms alongside established Western enterprise targets. According to Arctic Wolf researchers, unauthorized access to MAX Messenger accounts provides operators with a significant propagation channel across a vast messaging user base.
The mechanics of device code phishing
Kali365 operates by automating a technique known as device code phishing. This method abuses the OAuth 2.0 device authorization grant—a legitimate authentication workflow designed for input-constrained hardware like smart TVs and IoT devices that lack full browsers or keyboards. In a standard workflow, the hardware displays a code that the user enters into a separate device, such as a smartphone or laptop, to complete the login process and link the hardware to their account.
In a device code phishing scenario, a threat actor initiates a legitimate OAuth 2.0 device authorization request against their own infrastructure. They then prompt a targeted individual to enter the generated code on a legitimate identity provider portal. This prompt is typically delivered via a phishing lure impersonating a shared OneDrive file or a standard security verification request.
Once the user authenticates on the legitimate portal and completes their standard MFA steps, the identity provider issues access and refresh tokens directly to the unauthorized party's session. This grants persistent access to the account without requiring the user's password. Because the targeted user unknowingly completes the authentication process on behalf of the unauthorized party, standard MFA configurations do not prevent the access.
Platform commercialization and infrastructure
The operational model of Kali365 lowers the technical barrier for unauthorized access by providing a subscription-based platform. A recent public service announcement from the FBI noted that the kit equips users with automated campaign templates, AI-generated lures, OAuth token capture capabilities, and real-time tracking dashboards for monitoring targeted individuals.
Recent analysis of the platform's command-and-control (C2) infrastructure identified 126 unsafe hosts active throughout May. These hosts impersonate a wide range of platforms to enable token capture, including Microsoft Outlook, Microsoft Live, Okta SSO, Xerox DocuShare, the German email provider GMX, AWS naming conventions, and major Russian services like Mail.ru, Yandex Disk, and Odnoklassniki.
Kali365 represents a broader trend in the PhaaS ecosystem. Push Security recently observed a significant increase in device code phishing activity, identifying at least 14 distinct kits currently available. Some of these are new dedicated platforms like Venom and CYB3R, while others, such as Tycoon2FA, are established PhaaS platforms that have recently integrated device code functionality.
Mitigating device code authorization risks
Defending against device code phishing requires a combination of configuration management and user awareness. Security teams face a unique challenge: while entirely blocking device code logins eliminates the risk, doing so can cause significant operational disruption in environments where developers and technical personnel rely on the workflow.
To safeguard environments while maintaining necessary functionality, organizations can implement the following controls:
Implement conditional access policies: Configure policies to block device code flow for the majority of the user base, maintaining limited exceptions only for required business processes.
Audit existing usage: Before enforcing conditional access rules, audit your environment's existing device code flow usage to map legitimate dependencies and prevent accidental lockouts.
Restrict authentication transfers: Block authentication transfer policies to prevent credentials or active sessions from being moved from computers to mobile devices.
Exclude emergency accounts: Ensure break-glass or emergency access accounts are excluded from total device code flow restrictions to maintain administrative recovery options.
Enhance security awareness: Deploy targeted training that specifically educates users on the OAuth device code flow, teaching them to verify the context of any prompt asking them to input a randomly generated code into a Microsoft or Okta portal.