Kali365

No Password, No Problem: How Kali365 Is Breaking Into Microsoft 365 Environments at Scale

Key Takeaways

• Kali365 is an FBI-flagged PhaaS platform that emerged in April 2026 and enables even low-skilled attackers to compromise Microsoft 365 accounts using AI-powered phishing tools and automated OAuth token capture.

• MFA does not stop Kali365. Every documented victim organization was using multi-factor authentication. The platform's device code phishing method exploits a legitimate Microsoft authentication flow, meaning MFA is never triggered.

• Stolen OAuth tokens provide persistent, password-free access to Outlook, Teams, and OneDrive. The refresh token keeps attackers inside indefinitely, and from Microsoft's perspective the session looks entirely legitimate.

• Post-compromise behavior is automated and stealthy. Kali365 attackers create inbox rules to suppress security alerts and can register new devices in the victim's environment — extending their foothold beyond the initial token.

• Any organization using Microsoft 365 is in scope. Documented victims span healthcare, finance, insurance, manufacturing, government, and education across North America, Europe, and APAC — the common factor is Microsoft 365 adoption, not sector-specific vulnerability.

• The most direct technical mitigation is disabling device code flow. Organizations should create Conditional Access policies in Microsoft Entra to block or restrict device code authentication, audit existing usage, and block authentication transfer policies.

• Proactive threat intelligence is essential for early defense. ANY.RUN's Threat Intelligence Lookup and Threat Intelligence Feeds give security teams immediate access to Kali365 IOCs, known malicious infrastructure, and real-time campaign data — enabling teams to block phishing infrastructure, enrich authentication logs, and hunt for active compromises before attackers establish persistence.

  threatName:"kali365".

Explore Kali365 campaigns with ANY.RUN

What is Kali365?

Kali365 is a subscription-based cybercrime service distributed primarily through Telegram, offering aspiring attackers a turnkey toolkit for compromising Microsoft 365 environments at scale.

The platform's defining characteristic is its exploitation of Microsoft's OAuth 2.0 Device Authorization Grant flow, commonly known as "device code phishing." This legitimate authentication mechanism was originally created to let input-limited devices (smart TVs, conference room displays, printers, IoT hardware) sign into Microsoft 365 by generating a short code on a secondary device and entering it at a genuine Microsoft authorization page (microsoft.com/devicelogin).

Kali365 hijacks this flow: the attacker generates the code, the victim enters it at a real Microsoft URL — believing they are completing a routine verification — and Microsoft then hands the attacker an OAuth access token and a refresh token.

The critical consequence: no password is ever captured, and no additional MFA challenge is triggered. The victim may believe they acted safely, having visited a genuine Microsoft domain with a valid SSL certificate. The attacker, meanwhile, has obtained a persistent digital key granting unfettered access to the victim's Microsoft 365 environment.

Beyond device code phishing Kali365 also offers a second attack mode called "Cookie Link" — an adversary-in-the-middle (AitM) capability. Here, victims are sent a phishing email containing a cookie-based lure that transparently proxies their browser through attacker-controlled infrastructure, capturing authenticated session cookies, session tokens, and MFA solutions in real time.

ANY.RUN Interactive Sandbox lets analysts see the full phishing flow, validate detection logic, and collect IOCs.

View a Kali365 sample analysis

Kali365 detonated in Interactive Sandbox

Deobfuscated Kali365 JavaScript revealed that after a verification gate, the lure deploys a phishing page, launches a legitimate Microsoft device authentication flow, and then polls /api/status/ for session states such as captured, expired, and declined.

The code also contains lure-template generators for OneDrive, SharePoint, Teams, Outlook, and Voicemail, and a separate Google device-code authentication flow.

Kali365 kill chain elements

How Kali365 Threatens Businesses and Organizations

For organizations, Kali365 is much more than another phishing kit. Once attackers gain access to a Microsoft 365 environment, they can:

1. Conduct Business Email Compromise (BEC)

Attackers can monitor executive communications, intercept invoices, alter payment instructions, and launch fraud campaigns from trusted accounts.

2. Steal Sensitive Data

Access to Outlook, Teams, OneDrive, and SharePoint may expose:

• Financial records,
• Strategic plans,
• Customer information,
• Legal documents,
• Intellectual property,
• Enable Lateral Movement.

Compromised cloud accounts often serve as a foothold for further attacks against corporate infrastructure.

3. Launch Additional Social Engineering Campaigns

Threat actors can use trusted internal accounts to distribute malicious links and phishing emails across the organization.

4. Facilitate Ransomware Operations

Access to business communications and cloud resources can help attackers identify high-value assets and prepare ransomware deployment. Because Kali365 grants persistent access through stolen OAuth tokens, attackers may retain access even after passwords are changed unless the tokens themselves are revoked

Victimology: Who Is Most Vulnerable?

Security firms Arctic Wolf, Proofpoint, and Huntress documented Kali365 campaigns targeting organizations across North America (United States, Canada), Europe, and the broader EMEA region, as well as Australia and New Zealand, within weeks of the platform's April 2026 launch. The targeted sectors span a wide range:

Healthcare is particularly exposed. Microsoft 365 is deeply embedded in healthcare workflows for document sharing, internal communications, billing, and patient administration. A compromised account can mean unauthorized access to protected health information, internal clinical communications, and billing systems — with potentially severe regulatory consequences under frameworks such as HIPAA.

Financial services and insurance face direct risks of fraud, fund transfer manipulation, and sensitive client data exposure. BEC attacks originating from legitimately authenticated internal accounts are especially difficult to detect and defend against.

Government agencies are high-value targets for espionage, data theft, and disruption. The fact that Kali365 bypasses MFA — a control many government mandates consider sufficient — makes it a particularly pressing concern for public sector security.

Manufacturing relies heavily on Microsoft 365 for supply chain communication and operational coordination. Compromised accounts can enable industrial espionage, disrupt production, or facilitate invoice fraud.

Any organization running Microsoft 365 is actually within scope. The attack does not exploit a Microsoft vulnerability: it exploits the device code authentication flow that is enabled by default. Unless organizations have explicitly restricted or blocked device code flow via Conditional Access policies, every Microsoft 365 user is a potential target.

How Kali365 Gets Into Systems and Spreads

The Kali365 infection chain begins with a targeted phishing email and follows a carefully constructed sequence:

Step 1 — The Lure. The attacker sends a phishing email impersonating a trusted cloud productivity or document-sharing service. Commonly impersonated brands include Adobe Acrobat Sign, DocuSign, SharePoint, and Microsoft itself. The email typically communicates urgency — a document requiring signature, a file ready for review, or an account requiring verification. It contains a device code and instructions to visit a legitimate Microsoft URL (microsoft.com/devicelogin).

Step 2 — Authorization. The recipient, seeing a familiar and legitimate Microsoft URL, navigates to the real Microsoft page and enters the code. Password managers recognize the domain correctly. The SSL certificate is valid. There is no typo in the URL. The victim believes they have acted safely.

Step 3 — Token Theft. Unknown to the victim, the attacker generated the device code. By entering it on the Microsoft page, the victim authorizes the attacker's application to access their account. Microsoft hands the attacker an OAuth access token and a refresh token.

Step 4 — Persistence and Lateral Movement. The attacker now has persistent access to Outlook, Teams, OneDrive, and any other Microsoft 365 resources the victim's account can reach. Without a password, without MFA. Malicious inbox rules are created to suppress security notifications. New devices may be registered in the victim's environment. The attacker can move laterally, impersonate the victim, access connected systems, and escalate privileges.

The second attack mode, Cookie Link, follows a slightly different path: the phishing lure directs victims to a page that transparently proxies their entire authenticated browser session through attacker-controlled infrastructure. Session cookies and tokens are captured server-side as the victim logs in and completes MFA normally — with the AitM infrastructure intercepting everything in transit.

The platform spreads through Telegram channels targeting cybercriminal communities, where it is promoted by resellers and discussed in forums alongside pricing, tutorials, and affiliate onboarding materials.

How Does Kali365 Malware Function?

At the technical level, Kali365 is built around two core capabilities that can be deployed independently or in combination.

Device Code Phishing Mode exploits the OAuth 2.0 Device Authorization Grant flow as follows: the attacker initiates an OAuth device authorization request to Microsoft's servers, which returns a device code and a user verification URL. The attacker embeds this code in a phishing email and distributes it to targets.

When the victim enters the code at microsoft.com/devicelogin, they complete the device authorization grant — and Microsoft's authorization server returns an OAuth access token and refresh token to the attacker's polling application. The access token grants immediate API-level access to Microsoft 365 services. The refresh token can be used to request new access tokens indefinitely, making the session persistent even if the original access token expires.

Cookie Link (AitM) Mode operates by deploying a reverse proxy server between the victim and Microsoft's legitimate authentication servers. The victim's browser communicates with what appears to be a legitimate service, but all traffic — including the session cookies generated after successful MFA — passes through the attacker's infrastructure. The attacker captures the authenticated session cookies and tokens directly, bypassing MFA entirely because the victim completed MFA legitimately; the attacker simply intercepted the result.

Post-Compromise Automation distinguishes Kali365 from simpler phishing kits. Upon receiving captured tokens, the platform can automatically create malicious inbox rules within compromised mailboxes. These rules silently reroute and suppress emails containing specific keywords associated with security warnings or phishing alerts. Attackers can then use the platform's dashboard to monitor and manage compromised accounts, export captured tokens, and share access with other affiliates, effectively commoditizing post-compromise access.

The platform's AI-generated phishing lures are produced in real time, customized per campaign and target, and localized into 15 languages, dramatically increasing the realism and geographic scale of campaigns compared to manually crafted phishing emails.

How Businesses Can Use ANY.RUN’s Threat Intelligence Feeds and TI Lookup Against Kali365

Kali365's architecture presents detection challenges that traditional security tools struggle to address — but threat intelligence solutions specifically designed for proactive defense can meaningfully reduce the risk.

Using Threat Intelligence Feeds for Early Detection and Blocking

ANY.RUN's Threat Intelligence Feeds provide continuously updated indicators associated with phishing campaigns and malicious infrastructure.

Security teams can:

• Automatically enrich SIEMs and security controls;
• Block known malicious domains and URLs;
• Detect emerging phishing infrastructure;
• Improve email security effectiveness;
• Reduce exposure to newly discovered campaigns.

TI Feeds benefits and integration

ANY.RUN Threat Intelligence Lookup enables security teams to query a continuously updated database of threat indicators, malware behaviors, file hashes, IP addresses, and domains associated with known threat actors and campaigns. For Kali365 specifically, TI Lookup allows organizations to:

• Search for Indicators of Compromise (IOCs) linked to Kali365 infrastructure, including known malicious domains (such as kali365[.]xyz and associated sibling servers) and IP addresses used in campaigns documented by Arctic Wolf, Huntress, and the FBI.

• Query for OAuth token theft behaviors, device code phishing patterns, and AitM proxy infrastructure signatures to understand whether any matching activity has touched the organization's environment.

• Investigate suspicious authentication events by pivoting on observed IPs, user agents, or domain names — rapidly determining whether anomalous sign-in activity corresponds to a documented Kali365 campaign.

domainName:"hesmucbsb.prodcamp.com".

Domain exposed as part of Kali365 infrastructure

Besides, organizations should take the following measures:

• Block or restrict device code flow via Microsoft Entra Conditional Access policies. This is the single most direct technical mitigation against Kali365's primary attack mode. Organizations should audit existing device code usage to identify legitimate dependencies before enforcement.

• Block authentication transfer policies to prevent session transfers between devices.

• Monitor for suspicious OAuth application registrations and anomalous sign-in patterns, particularly logins from new IP addresses or geographies, new device registrations, and access from devices not enrolled in device management.

• Deploy advanced identity security tooling capable of detecting anomalous token usage patterns — not just credential compromise or MFA bypass attempts.

• Audit and alert on malicious inbox rules that route, delete, or suppress security-related emails, as these are a consistent post-compromise behavioral indicator in Kali365 attacks.

• Conduct phishing awareness training specifically addressing device code phishing scenarios. Users need to understand that entering a short code on a real Microsoft page can still result in account compromise if the code originated from an attacker.

• Implement SIEM correlation rules that flag device code authentication events originating from unfamiliar IP addresses or combined with other risk signals.

Conclusion

Kali365 demonstrates how modern phishing campaigns are evolving beyond password theft. By abusing legitimate Microsoft authentication workflows and targeting OAuth tokens instead of credentials, the platform enables attackers to bypass MFA and gain persistent access to business environments.

As Phishing-as-a-Service ecosystems continue to mature, organizations can no longer rely solely on passwords and MFA for protection. Effective defense requires visibility into phishing infrastructure, continuous monitoring of cloud identities, proactive threat intelligence, and rapid detection of suspicious authentication activity.

Trial TI Lookup to start gathering actionable threat intelligence on the malware that threatens your business sector and region: just sign up to ANY.RUN.