Hundreds of attacks in April 2026, a $250 monthly subscription, and OAuth device codes that let attackers walk past multi-factor authentication. That's the Kali365 phishing kit, and the FBI just issued a warning.
Kali365 Turns OAuth Device Codes Into a Backdoor
Kali365 isn't your grandpa's credential-harvesting phishing kit. Instead of stealing passwords, it targets OAuth device codes - the digital tokens that let applications access data without a password. A victim receives an email that looks legit, containing a device code and a link to a legitimate Microsoft verification page. Enter that code, and the attacker snags the OAuth access token. No fake login page. No misspelled domain. Just a clean handover of your entire Microsoft 365 account.
Bitdefender spotted the platform in April 2026, marketed on Telegram. Pricing: $250 per month or $2,000 per year. For that, attackers get AI-generated phishing lures, automated campaign templates, real-time dashboards, and OAuth token capture. The FBI noted that Kali365 "lowers the barrier of entry, providing less-technical attackers access" to these tools.
Why Password Resets and MFA Won't Save You
The attack vector exploits a feature, not a bug. OAuth device codes are designed for devices without full browsers - think smart TVs or IoT gear. Normal MFA checks never fire because no password is typed. Once the token is captured, the attacker can roam through Outlook, Teams, and OneDrive freely. The FBI says victims should never open links with access codes they didn't request, and report incidents to the Internet Crime Complaint Center.
AI-generated lures make the emails harder to distinguish from legitimate Microsoft communications. The scheme doesn't require a deceptive domain or fake portal - the only misdirection is the code itself. If you see a device code in an unsolicited email, your best move is to delete and investigate elsewhere.
The Real Takeaway for Engineering Teams
This is a reminder that authentication tokens need the same scrutiny as passwords. Device code flows should be restricted to devices that genuinely lack browser support. Logging and alerting on unexpected OAuth token grants for high-value accounts should be table stakes. Kali365 proves that a $250 month pass is enough to turn a convenience feature into a corporate breach vector. Expect Microsoft to tighten device code flows or the FBI to issue more specific mitigation guidance soon.
Source: The FBI just issued an urgent warning for anyone using Microsoft Teams, Outlook, or OneDrive over a new phishing scheme
Domain: fastcompany.com
Comments load interactively on the live page.