The FBI is still warning about the Kali365 phishing-as-a-service platform (PhaaS) that is used to hijack Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass MFA. If you haven’t read the warning from the FBI, it should be required reading.
Commenting on this news is Dan Moore, Sr. Director, CIAM Strategy & Identity Standards at FusionAuth:
“Device code phishing works because the user does everything right. They visit a real Microsoft page, complete a real login and MFA challenge, and enter the code. By doing so, the user hands an attacker real long-lived tokens for accessing real applications. The default Microsoft refresh token is good for 90 days. Worse, it renews itself every time it’s used.
The login and MFA are completed by a legitimate user on the attacker’s behalf. An easy fix: disallow superfluous OAuth grants. The device code grant exists for legitimate reasons; I wouldn’t want to type a password into my printer or smart TV when I could use my phone. But almost all enterprise users don’t need it (yes, yes, carve out exceptions for engineering teams who actually use CLI tools). Leaving it accessible is a configuration choice and attackers are actively exploiting it.
If your organization can’t block the device code grant entirely, at minimum you need short refresh token lifetimes and aggressive revocation. A captured refresh token gives persistent access until it’s expired or revoked. How long that window stays open is up to you.”
It’s time to refresh how one manages devices. Otherwise the possibility of getting pwned is very high.
Related
This entry was posted on May 27, 2026 at 1:45 pm and is filed under Commentary with tags Kali365. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
FBI again warns of Kali365 phishing service targeting Microsoft 365 accounts
The FBI is still warning about the Kali365 phishing-as-a-service platform (PhaaS) that is used to hijack Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass MFA. If you haven’t read the warning from the FBI, it should be required reading.
Commenting on this news is Dan Moore, Sr. Director, CIAM Strategy & Identity Standards at FusionAuth:
“Device code phishing works because the user does everything right. They visit a real Microsoft page, complete a real login and MFA challenge, and enter the code. By doing so, the user hands an attacker real long-lived tokens for accessing real applications. The default Microsoft refresh token is good for 90 days. Worse, it renews itself every time it’s used.
The login and MFA are completed by a legitimate user on the attacker’s behalf. An easy fix: disallow superfluous OAuth grants. The device code grant exists for legitimate reasons; I wouldn’t want to type a password into my printer or smart TV when I could use my phone. But almost all enterprise users don’t need it (yes, yes, carve out exceptions for engineering teams who actually use CLI tools). Leaving it accessible is a configuration choice and attackers are actively exploiting it.
If your organization can’t block the device code grant entirely, at minimum you need short refresh token lifetimes and aggressive revocation. A captured refresh token gives persistent access until it’s expired or revoked. How long that window stays open is up to you.”
It’s time to refresh how one manages devices. Otherwise the possibility of getting pwned is very high.
Share this:
Like this:
Related
This entry was posted on May 27, 2026 at 1:45 pm and is filed under Commentary with tags Kali365. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.