Kali365: OAuth Device Code Phishing Targeting Microsoft 365

What is Kali365?

Kali365 is a commercial Phishing-as-a-Service (PhaaS) platform with a subscriber-facing panel, Telegram-based operations support, and multi-tenant infrastructure. Obrela's analysis attributed the discovered C2 environment to Kali365 based on panel similarities, infrastructure overlap, operational fingerprints and exposed front-end JavaScript associated with subscriber capabilities. Capability coverage spans the full identity-compromise lifecycle: phishing delivery, OAuth Device Code abuse, AiTM proxying, token persistence, mailbox interaction, lateral campaign expansion, and tenant-level abuse where a compromised identity holds directory roles.

The danger is not lure quality — it is the technique. Rather than harvesting credentials, Kali365 abuses Microsoft's legitimate OAuth 2.0 Device Authorization Grant flow. The victim authenticates against real Microsoft endpoints and completes MFA on real Microsoft infrastructure; what they unknowingly authorise is an attacker-controlled session bound to their identity. Access and refresh tokens are exfiltrated to the Kali365 backend and replayed against Microsoft Graph, Exchange Online and Teams APIs — with no credential ever leaving the victim, and with full MFA satisfied on the wire.

How the Attack Works — Step by Step

Platform Capabilities

Obrela's analysis of the leaked subscriber-facing JavaScript and live infrastructure mapped a mature, multi-tenant PhaaS operation. Observed capabilities span infrastructure rotation, automated lure generation, dual MFA-bypass primitives, mailbox post-compromise tooling, and integrated lateral movement — all wired into a single subscriber panel:

• Subscriber panels — multi-tenant management consoles (titled simply "Panel") for affiliates to run campaigns
• AI-assisted lure generator — operators define target brand, delivery scenario and social-engineering theme to dynamically generate phishing payloads
• Template library — pre-configured cloud service themes (SharePoint, OneDrive, Voicemail) and custom HTML, with impersonation of brands like Dropbox and DocuSign
• Dual capture modes — OAuth Device Code abuse and Adversary-in-the-Middle (AiTM) proxying for session cookie interception
• Cloudflare Worker rotation — dynamically generated *.workers.dev URLs and integrated marketplace for rapid DNS/SSL provisioning
• Telegram alerting — instant exfiltration notifications and automated keyword monitoring on captured email for strings like "invoice", "wire", "payment", or "password reset"
• B2B Sender module — bulk spear-phishing distribution directly from hijacked accounts using uploaded recipient lists and captured sending profiles
• Admin Control module — directory user enumeration, password reset workflows and tenant-level abuse when a compromised identity holds admin roles

The commodity model is the real risk. Device Code phishing as a technique has been documented by defenders for years; Kali365 packages it — together with AiTM, token persistence, and account weaponisation — into a turnkey subscription product. Infrastructure telemetry observed by Obrela indicates active operational scaling and rapid provisioning, with the majority of identified nodes undetected by public Threat Intelligence feeds at the time of investigation.

Indicators of Compromise (IOCs)

IOCs below are taken from the Obrela Security Advisory of 20 May 2026 — both the confirmed Microsoft 365 compromise that initiated the investigation and the Appendix A infrastructure inventory. Defanged for safe transport. Load into SIEM, NGFW, secure web gateway, DNS, EDR and Entra ID sign-in detections.

Confirmed incident telemetry

• Source IP of malicious authentication: 43.131.5.194
• Phishing lure URL observed: hxxps://hsyl4nksdn.increaseengagementnow[.]de/l/FT2acw6gI3A
• Observed at: 18 May 2026 — Microsoft 365 OAuth Device Authorization Grant abuse

Mock / demo Kali365 panel infrastructure

• 18.117.247.159 — exposed mock subscriber panel
• 130.12.115.206 — exposed mock subscriber panel
• plueuuririirjririwoowowlwsjdjeineidixiidneeiej[.]cc — mock panel domain

Kali365 infrastructure nodes (AS132203 — TENCENT-NET-AP-CN)

Appendix A of the Obrela advisory lists 76 IPv4 addresses exhibiting overlapping Kali365 operational characteristics — Linux hosts, exposed Nginx, SSH on port 22, and a panel titled simply "Panel". The vast majority are hosted on AS132203 (TENCENT-NET-AP-CN). Block these at the perimeter and hunt them in DNS, proxy, EDR, and Entra ID sign-in logs:

• 43.153.87.19 · 43.153.100.17 · 49.51.141.209 · 43.157.51.193
• 43.131.30.4 · 43.157.65.163 · 170.106.141.49 · 43.130.33.215
• 43.173.72.71 · 43.173.77.176 · 43.157.84.24 · 43.157.88.63
• 69.67.173.165 · 43.153.72.91 · 43.131.60.226 · 43.173.71.182
• 162.62.233.174 · 43.157.82.209 · 43.173.70.68 · 43.153.33.118
• 43.173.72.177 · 43.173.104.183 · 43.173.72.138 · 43.173.73.224
• 43.153.59.231 · 162.62.121.57 · 170.106.176.195 · 43.153.18.172
• 43.173.74.57 · 170.106.116.24 · 43.159.171.69 · 43.131.60.143
• 43.173.105.72 · 43.157.80.139 · 43.173.78.142 · 43.157.62.86
• 43.131.56.141 · 43.173.72.86 · 43.157.71.214 · 170.106.186.18
• 43.131.44.102 · 43.131.57.11 · 43.157.60.162 · 34.87.147.59
• 43.153.12.20 · 43.130.9.20 · 162.62.55.210 · 43.165.1.42
• 43.131.0.54 · 43.173.68.218 · 43.130.102.216 · 43.153.67.95
• 162.62.232.182 · 43.173.74.70 · 43.166.211.243 · 43.157.64.101
• 49.51.203.63 · 43.157.16.226 · 43.157.12.44 · 43.131.40.210
• 162.62.230.6 · 43.157.72.99 · 43.173.76.163 · 43.173.74.48
• 43.173.76.64 · 43.131.45.240 · 43.131.3.58 · 43.131.5.194
• 49.51.202.230 · 43.166.139.181 · 43.131.52.235 · 35.197.144.204
• 43.157.108.91 · 43.131.9.204 · 49.51.166.31 · 199.91.220.111

Targeting Profile

Kali365 is sector-agnostic — every Microsoft 365 tenant is a viable target. The economic logic of PhaaS rewards affiliates for high-yield mailboxes, so regulated, high-value, and finance-adjacent environments concentrate the realised risk. Expect campaigns to gravitate to the same targets that drive BEC and ransomware staging:

• Financial services — wire fraud, BEC pivots, downstream client compromise via trusted internal communication
• Manufacturing — OT-adjacent environments where token theft becomes a foothold for supply-chain compromise
• Healthcare — patient data, EHR access, and incident-response time pressure that punishes delayed detection
• Government and public sector — politically sensitive mailboxes and inboxes exposed to FOIA/public-records discovery
• Professional services and consulting — privileged access into multiple client tenants from a single compromise
• Education — research IP, federated identity, and large unmonitored user populations

Defensive Controls

Because authentication completes on Microsoft infrastructure with full MFA, perimeter email controls, password rotation, and push-based MFA do not stop this attack. Effective defence is identity-centric: kill the Device Code flow where it is not operationally required, move privileged users to phishing-resistant MFA, shorten token lifetime, and instrument the post-compromise behaviour. Obrela, FBI and Arctic Wolf converge on the same control set:

• Block the Device Authorization Grant in Conditional Access — All users → All cloud apps → Conditions → Authentication flows → Device code flow → Block. Exempt only the specific service principals and device platforms that genuinely require it (smart TVs, conference room hardware, legacy IoT)
• Move privileged identities to phishing-resistant MFA — FIDO2 security keys, Windows Hello for Business, or certificate-based authentication. Push and OTP factors are bypassable in both Device Code and AiTM modes used by Kali365
• Enable sign-in risk and user risk policies in Entra ID Protection — they flag the anomalous client-app, IP and ASN combinations characteristic of token replay from low-reputation infrastructure such as AS132203
• Shorten refresh-token lifetime and enforce continuous access evaluation (CAE) — limits the operational window of a stolen refresh token
• Alert on inbox-rule creation and mailbox-forwarding changes — Kali365 affiliates routinely suppress security notifications and exfiltrate via forwarding
• Monitor for new device registrations and MFA method changes in Entra ID audit logs — the attacker registers their own trusted device to outlive the original token
• Hunt the IOCs in this report — block the listed AS132203 nodes and mock-panel infrastructure in NGFW, DNS, secure web gateway and EDR; add high-fidelity alerts on the confirmed source IP and lure URL
• Run phishing simulations that include the device-code lure — most awareness programs cover credential-harvest pages but not legitimate Microsoft prompts driven by attacker-supplied codes
• Update the IR runbook for OAuth compromise — on suspicion, revoke sessions, refresh tokens and registered devices in Entra ID for the affected identity; a password reset alone leaves the attacker in place

Key Takeaway

Kali365 is not a novel exploit — it is the commoditisation of a documented weakness in the OAuth Device Authorization Grant flow. Obrela's telemetry, the FBI advisory and Arctic Wolf's research point at the same operational reality: identity is the perimeter, and the perimeter has a known bypass that requires no malware, no zero-day, and no credential. The most effective control — blocking the device-code flow via Conditional Access — is essentially free and has no user impact for the vast majority of tenants. The unfinished work is configuration, not capability.

Kali365 does not break Microsoft 365 — it weaponises a feature most tenants forgot was turned on. Until the Device Authorization Grant is explicitly blocked in Conditional Access, an MFA-protected mailbox is one user-typed code away from full token compromise.

References

This report consolidates findings from three independent sources. Cross-reference them before tuning detections or building a hunt:

• Obrela Security Advisory — Kali365 Infrastructure: Abusing OAuth Device Code Phishing (20 May 2026) — primary source for the IOC inventory and platform capability analysis published in this report
• FBI IC3 Public Service Announcement — Kali365 Phishing-as-a-Service Kit Hijacks Microsoft 365 Access Tokens — https://www.ic3.gov/PSA/2026/PSA260521
• Arctic Wolf Labs — Token Bingo: Don't Let Your Code be the Winner — https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/