Kali365 Raises Microsoft 365 Breach Risks Arabian Post

The attack chain typically begins with an email designed to resemble a trusted cloud, document-sharing or workplace communication notice. The victim is instructed to enter a device code on a genuine Microsoft verification page. Because the user completes the sign-in process through Microsoft's real authentication system, the interaction may appear legitimate and can satisfy MFA requirements. Once the code is entered, the attacker's device or session is authorised, and OAuth tokens can be harvested for continued access.

The danger lies in the distinction between stealing passwords and stealing tokens. A compromised password can be changed, and MFA can block many credential-based intrusions. A stolen token, however, can allow an attacker to access services as an already authenticated user until the token expires or is revoked. Refresh tokens can extend that window, giving attackers time to search mailboxes, download files, monitor Teams conversations, set forwarding rules, or use the compromised account to reach other employees.

The emergence of Kali365 reflects a wider shift in phishing operations from crude credential harvesting to abuse of trusted identity protocols. Device code phishing has gained traction because it relies on legitimate Microsoft pages, reducing the effectiveness of user training that focuses only on spotting lookalike domains. It also complicates automated detection because the authentication event may not immediately resemble a conventional failed login or suspicious password entry.

Cybersecurity researchers have tracked similar tactics across financially motivated groups and state-linked operators since 2025. Campaigns using device-code abuse have targeted Microsoft 365 users in corporate, academic, government and public-sector environments. Some operations have used document-sharing themes, salary notices, meeting recordings and password expiry prompts to induce victims to follow instructions quickly.

The spread of such platforms through Telegram has amplified the threat. Closed and semi-open channels have become marketplaces for phishing kits, stolen credentials, malware loaders and automation tools. Kali365's subscription format mirrors a broader cybercrime economy in which developers maintain platforms while affiliates or customers conduct campaigns. This separation of roles allows malicious services to scale rapidly and makes attribution more difficult.

Microsoft 365 remains a high-value target because it sits at the centre of enterprise communication and document management. Access to one mailbox can provide attackers with invoices, contracts, internal contacts, cloud storage links and authentication prompts from other services. A compromised account can also be used to launch business email compromise schemes, alter payment instructions, impersonate executives, or move laterally through an organisation.

Defensive measures now need to move beyond password resets and basic MFA enforcement. Administrators are being urged to review whether device code flow is required in their environment and to restrict it where possible through Conditional Access controls. Organisations can also shorten token lifetimes, monitor unusual OAuth consent activity, revoke refresh tokens after suspected compromise, and investigate unexpected sign-ins from unfamiliar locations, devices or applications.

User education remains necessary but must be updated to reflect the nature of the threat. Employees should treat unsolicited device-code prompts as suspicious, even when the page is hosted on a legitimate Microsoft domain. Verification requests should be checked through internal IT channels, particularly when linked to shared documents, Teams recordings, voicemail notifications or urgent account actions.