FBI flags Kali365, a phishing service built on OAuth device-code abuse
BleepingComputer · Lawrence Abrams · May 25, 2026 · source ↗
The FBI has put out a warning about Kali365, a phishing-as-a-service platform that surfaced in April 2026 and is sold through Telegram to attackers who want into Microsoft 365 accounts without bothering to steal passwords or intercept MFA codes. Its method is device-code phishing — abusing Microsoft’s legitimate OAuth 2.0 device authorization flow, the one designed so that smart TVs, conference systems and printers can sign in by showing a short code at microsoft.com/devicelogin. Trick a target into entering the attacker’s code there and you walk away with their session tokens, MFA already satisfied.
The interesting part is structural: it’s the same weakness that keeps surfacing wherever delegated authorization meets a human who can be socially engineered. The credential isn’t phished — the authorization grant is. MFA, sold to everyone as the answer, is simply bypassed because the flow was never meant to carry that trust assumption. Branded calling, verifiable credentials and agent identity all lean on similar OAuth-family delegation patterns, and device-code abuse is a working reminder that the consent step is where these schemes actually break.
This is general M365 account-takeover tradecraft, not telecom-specific, but the productization is what makes it worth a second look. When token-theft-by-design gets packaged as a Telegram subscription, the technique stops being an advanced-actor party trick and becomes commodity fraud — the point at which it starts touching every channel that trusts an OAuth session.