The FBI is warning organizations and defenders about Kali365, a growing phishing-as-a-service platform that retrieves Microsoft 365 access tokens, issuing a public service announcement Thursday.
The toolkit bypasses multi-factor authentication and abuses OAuth device code authorizations via phishing lures impersonating common enterprise services. This technique grants cybercriminal-controlled applications access to Microsoft 365 accounts, opening victims up to a host of follow-on malicious activity, including data theft, fraud, extortion and ransomware attacks.
Kali365 is one of many rapidly emerging device-code phishing tools, which are gaining popularity as a more effective means for cybercriminals to circumvent security controls while abusing legitimate Microsoft device authorization pages, according to researchers.
Instead of gaining access to accounts via phishing kits that steal credentials and second-factor authentication codes, device-code phishing platforms connect a malicious app to a legitimate account with a single code. The process requires fewer steps and less interaction with the user, but victims do have to copy-and-paste a code generated by the Kali365 platform to grant access.
“We see quite a bit of this device-code phishing activity, but so much of it looks really similar. They’re all using the same types of lures, the same types of content, the same branding,” Selena Larson, senior threat researcher at Proofpoint, told CyberScoop. “It is very much AI generated, AI driven, and the threat actors, I think, are finding it pretty effective because we’re seeing this shift happen kind of all at once.”
Proofpoint researchers observed seven device-code phishing tools that looked nearly identical during a 10-day period last month.
Device-code phishing isn’t new, but platforms like Kali365 have integrated new techniques that differ from MFA phishing, and might be more effective as a result. “It’s something that people might not be used to. It’s a little bit sleeker,” Larson said.
This also partly explains why these cybercriminal tools are growing so quickly. Larson said Proofpoint observed an explosion in device-code phishing activity starting in February.
By April, Kali365 was up and running and primarily distributed on Telegram, according to the FBI. “Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” the agency said in the public warning.
Researchers at Arctic Wolf Labs, which has also been tracking large-scale campaigns linked to Kali365, said the platform charges affiliates $250 for 30 days of service or $2,000 for a full year.
Kali365 stores the OAuth access and refresh tokens it captures, and makes those available to affiliates on its platform. Those tokens can also be shared and reused by other cybercriminals who didn’t participate in the initial phishing lure, Arctic Wolf researchers added.
The FBI also noted that these Microsoft 365 tokens provide persistent access, allowing attackers to wade through multiple Microsoft services without a password or additional MFA requests.
“Identity can be very, very powerful once you’re in an organization,” Larson said, adding that attackers can abuse that access to impersonate people, access and steal data for extortion, commit fraud and deploy malware.
