Skip to content

Safe Tuesday: Kali365 bypasses MFA via OAuth device code

The FBI has warned of a Phishing-as-a-Service platform called Kali365. The attack does not bypass MFA - it uses it as a trust-building element, exploiting the legitimate OAuth 2.0 device code flow in Microsoft 365. Five Entra ID hardening steps worth implementing within 48 hours.

In mid-May 2026, the FBI published a warning about a new Phishing-as-a-Service platform called Kali365. The mechanism behind this attack deserves the attention of every Microsoft 365 administrator - including those who believe multi-factor authentication sufficiently protects their environment.

The key observation is this: Kali365 does not bypass MFA. It uses it as an element that builds the victim’s trust.

Abstract visualisation of session token interception in a phishing attack - SNOK Aurora style

How the attack works

The Kali365 operator exploits a legitimate Microsoft mechanism - the OAuth 2.0 device code flow. This flow was designed for devices without a keyboard (televisions, printers, IoT devices) and does not require a second authentication factor if the user enters the code themselves on a trusted device.

A typical scenario looks as follows:

  1. The operator initiates the device code flow within the victim’s environment.
  2. They send the user a message disguised as an internal IT communication - “please sign in and enter this code”.
  3. The user signs in with their own account and enters the code, in good faith.
  4. The attacker receives a session token with all of the victim’s permissions.
  5. MFA was not bypassed - it was used as an element that builds trust.

The barrier to entry for the attacker is low, and the effectiveness is high - particularly in organisations that have not configured appropriate Conditional Access policies.

Five steps worth implementing in the next 48 hours

  • Conditional Access - a policy blocking the device code flow from untrusted locations and devices.
  • Entra ID - enabling sign-in risk policies and user risk policies (requires an Entra ID P2 licence).
  • Defender for Cloud Apps - active monitoring of unusual OAuth flows and alerting on token anomalies.
  • Token lifetime policies - shortening session token lifetimes and enforcing more frequent reauthorisation.
  • User communication - a short instruction: “Microsoft never asks you to type in a code sent in a separate message.”

Why this matters now

A significant proportion of Polish organisations using Microsoft 365 do not yet have an active policy blocking the device code flow in untrusted scenarios. The mechanism remains enabled by default, and the attack vector remains available.

As a Microsoft Solutions Partner, we help clients carry out Entra ID hardening, configure Conditional Access, and implement OAuth monitoring in Defender for Cloud Apps. If you would like to discuss the configuration of your own organisation, we invite you to get in touch.


Source: FBI Public Service Announcement (May 2026) regarding the Kali365 Phishing-as-a-Service platform.

Tematy: Safe Tuesday Microsoft 365 Entra Cybersecurity Conditional Access

Get in touch