.png){kind=logo}
Kali365 is a phishing-as-a-service attack that tricks users into entering their personal credentials on the real portal, allowing hackers to bypass multifactor authentication by intercepting tokens. The device code flow was originally designed to allow text input on printers, smart TVs, or conference room screens.
The attacker initially logs in to the backend dashboard of Kali365 and initiates a sign-in session that triggers an automatic validation request to the OAuth servers. This generates a temporary login code. The attacker uses the AI tools provided by Kali365 to create a highly polished, tailored phishing email that mimics official enterprise partners like OneDrive, SharePoint, or DocuSign.
Also read: US Cracks Down on Anthropic, Halts Claude Fable 5 Within Days of Launch Over Security Fears
The email then instructs the users to review the information. The user accesses the real Microsoft link and enters a secure Microsoft Device Login Portal. The URL shows a secure Padlock, valid certificates, and a proper domain, convincing the user that they are on a legitimate login page to complete the required MEA (Multi-Factor Authentication). By submitting the attacker's code on the page, the victim authorizes the device that generated the code, unknowingly granting access to their account.
At this point, Microsoft essentially grants a refresh token access to the originating session instead of the active login token. This essentially means that instead of granting access to the victim, who is the original user, it sends the token to the attacker who is accessing from a new device, thinking it’s the same person.
The FBI IC3 was the first entity to publish this breakout news about the Kali 365 hijacking threat. The phishing emails these days mimic such accuracy that it is almost impossible to recognize them as an irreparable security risk. The only way to prevent these from happening is to stay sharp, avoid logging in to devices from new devices, and stay aware of the latest cyberattacks.
