The FBI has issued a warning about Kali365, a phishing-as-a-service platform that hijacks Microsoft 365 accounts by exploiting the OAuth 2.0 device code authentication flow to steal valid session tokens and bypass multi-factor authentication entirely.
According to BleepingComputer, the service represents a notable shift in how threat actors approach identity compromise. Rather than attempting to crack passwords or intercept one-time codes, Kali365 tricks users into authorizing a malicious application through Microsoft's own device code protocol. The tokens issued through this legitimate OAuth flow are cryptographically valid, meaning attackers gain persistent access without ever triggering secondary authentication prompts.
The attack mechanics are straightforward but effective. Victims receive a phishing message directing them to a fraudulent page that displays a numeric device code and instructs them to visit Microsoft's legitimate device login portal. Once the user enters the code and signs in, the attacker's application receives an access token tied to that user's session. Because the authentication occurs through Microsoft's genuine infrastructure, MFA challenges are satisfied as part of the normal flow — the attacker simply inherits the resulting token.
What makes Kali365 particularly concerning is its commercialization as a subscription service. By packaging this technique into a PhaaS model, the operators have lowered the technical barrier for less-skilled threat actors to launch enterprise-grade token theft campaigns. Security researchers have noted that phishing-as-a-service ecosystems continue to mature, offering customer support, dashboards, and analytics to their subscribers.
Microsoft's device code flow was designed for scenarios where users sign in on headless devices such as smart TVs or IoT hardware. The protocol itself functions as intended; the vulnerability lies not in the architecture but in how organizations configure and monitor it. Defense against this attack vector is administrative rather than architectural.
For IT administrators managing Microsoft 365 environments, several mitigation steps are available. Conditional Access policies can restrict device code authentication to managed, corporate-owned endpoints or block it entirely where the flow is not operationally required. Token lifetimes should be shortened from their defaults, and Continuous Access Evaluation should be enabled to reduce the window of opportunity for stolen tokens. Organizations should also conduct regular audits of third-party OAuth consents in Entra ID and implement alerting for unfamiliar device code requests or geographic anomalies.
User awareness training remains a critical layer. Employees should be educated to treat unsolicited numeric code prompts with suspicion and understand that legitimate device code requests will only originate from known organizational hardware.
As phishing-as-a-service platforms continue to commoditize sophisticated techniques, the Kali365 case underscores a broader reality: static perimeter defenses and one-time authentication checks are no longer sufficient. Organizations must shift toward active session monitoring, automated token lifecycle management, and continuous identity governance to counter an evolving threat landscape.
美國聯邦調查局(FBI)就 Kali365 發出警告,這是一個 phishing-as-a-service 平台,透過利用 OAuth 2.0 device code 驗證流程竊取有效 session token,完全繞過 multi-factor authentication,從而劫持 Microsoft 365 帳戶。
據 BleepingComputer 報道,該服務代表了威脅行為者在身份入侵方式上的顯著轉變。Kali365 並非嘗試破解密碼或攔截一次性驗證碼,而是誘使用戶透過 Microsoft 自身的 device code protocol 授權惡意應用程式。透過此合法 OAuth 流程發出的 token 在密碼學上屬有效,意味著攻擊者可在完全不觸發二次驗證提示的情況下取得持久存取權。
攻擊手法直接但有效。受害者收到網絡釣魚訊息,被引導至偽造頁面,該頁面顯示一組數字 device code 並指示用戶前往 Microsoft 合法的 device login portal。用戶輸入代碼並登入後,攻擊者的應用程式便會取得與該用戶 session 綁定的 access token。由於驗證是透過 Microsoft 的真實基礎設施進行,MFA 挑戰已在正常流程中完成——攻擊者只需繼承產生的 token 即可。
Kali365 最令人擔憂之處在於其商業化運作模式。將此技術包裝成 PhaaS 模式,營運者降低了技術門檻,讓技術較弱的威脅行為者也能發起企業級 token 竊取行動。安全研究人員指出,phishing-as-a-service 生態系統持續成熟,為訂閱者提供客戶支援、dashboard 和 analytics 等功能。
Microsoft 的 device code flow 原為無頭設備(如 smart TV 或 IoT 硬件)的登入場景而設。協議本身運作正常,問題不在架構,而在機構如何配置和監控它。防禦此攻擊向量屬於管理層面,而非架構層面。
管理 Microsoft 365 環境的 IT 管理員可採取多項緩解措施。Conditional Access policies 可限制 device code authentication 僅限於受管理的企業端點,或在不需要此流程時完全封鎖。應縮短 token lifetime 預設值,並啟用 Continuous Access Evaluation 以減少被竊 token 的可用窗口。機構亦應定期審計 Entra ID 中的第三方 OAuth consent,並對陌生 device code 請求或地理位置異常設置警報。
用戶意識培訓仍是關鍵防護層。應教育員工對未經請求的數字代碼提示保持警惕,並理解合法的 device code 請求只會來自已知的機構設備。
隨著 phishing-as-a-service 平台持續將複雜技術商品化,Kali365 案例突顯了一個更廣泛的現實:靜態邊界防禦和一次性驗證檢查已不再足夠。機構必須轉向主動 session 監控、自動化 token 生命週期管理和持續身份治理,以應對不斷演變的威脅環境。