ABSTRACT

The FBI recently issued an advisory on Kali365, a Phishing-as-a-Service platform that abuses legitimate Microsoft OAuth flows to bypass multi-factor authentication.

Kali365 is a Phishing-as-a-Service platform that bypasses Microsoft MFA by abusing the OAuth Device Code Flow. For $250, an operator with minimal skill acquires enterprise-grade identity compromise capability. The technique does not break MFA, it captures the session token after the victim completes authentication legitimately. Refresh tokens grant persistent access to Microsoft 365 for weeks or months, with no audit log anomaly.

Analysis of 800 domains attributed to the kit confirms a market-scale operation: 85.8% of malicious URLs are hosted on Cloudflare Workers; the .de, .dev, and .com TLDs account for over 94% of the sample. The kit is distributed via Telegram and adopted across multiple unrelated threat actor groups.

We assess with high confidence that the MFA-centric defence paradigm is structurally insufficient against this class of attack. Mitigation requires accelerated adoption of Identity Threat Detection and Response (ITDR) tooling, and continuous post-authentication behavioural validation.

Technical Anatomy: How the Attack Works

The Compromise Flow

Unlike traditional phishing, which seeks to steal credentials via fraudulent login pages, Kali365 abuses the Microsoft Device Code Flow, a legitimate OAuth mechanism originally designed for devices without a browser, such as smart TVs or IoT endpoints.

The attack sequence unfolds in four phases:

1. Initial vector. Using templates supplied by Kali365, the operator sends an email impersonating trusted services (Adobe, DocuSign, SharePoint) containing an alphanumeric code and instructions to visit microsoft.com/devicelogin.
2. Authentication. The victim enters the code and completes the normal authentication flow, MFA included, in the belief they are authorizing a legitimate operation.
3. Token theft. Once authentication completes, Kali365 captures the OAuth access and refresh tokens associated with the freshly authorized session.
4. Post-exploitation. With valid tokens in hand, the operator gains persistent access to every Microsoft 365 service (Outlook, OneDrive, Teams, SharePoint), no password and no further verification required.

Once tokens are acquired, Kali365 provides automated workflows for:

• Mailbox access: reading email, including password reset notifications
• Contact harvesting: automatic address-book extraction for lateral phishing
• Stealth operations: creating inbox rules that filter out security alerts
• Keyword monitoring: automated scanning for BEC-related terms (invoice, wire transfer, urgent payment)

The Value of Refresh Tokens

Refresh tokens have one property that makes them particularly dangerous: they renew access without repeating authentication, often for weeks or months. They provide operators with a persistence mechanism inside the Microsoft 365 tenant, with sessions that appear entirely legitimate in audit logs.

The Democratisation of Offensive Capability

Token theft attacks have historically required advanced web development skill to implement reverse-proxy architectures, complex infrastructure management, the ability to evade detection systems, and operational expertise in OPSEC and monetisation. Kali365 reduces these requirements to a $250 purchase, basic email-sending competence, and a surface knowledge of Microsoft 365.

The strategic implication is significant. Actors who previously ran only rudimentary phishing now have capabilities comparable to APT groups. The technological barrier separating script kiddies from capable threat actors is shrinking.

The Emerging Ecosystem and Group Convergence

The FBI advisory, together with reports from Proofpoint, IBM, and Huntress, makes clear that Kali365 is not an outlier. It is the representative of a new category of criminal services. Multiple similar platforms exist, indicating the business model has been validated by the market. Competition between platforms will inevitably drive rapid innovation in technique, feature improvements, and price reductions.

The convergence of various threat actors around these commodity tools is particularly worrying. This is not a single group with custom tooling, it is cross-group adoption of standardised tooling.

Distribution via Telegram gives criminal developers operational anonymity, global reach, and the ability to build communities with peer-to-peer support.

The Failure of the MFA-Centric Paradigm

For over a decade, the cybersecurity industry has promoted MFA as the fundamental solution. The consolidated message has been that MFA blocks the vast majority of credential-based attacks. The claim is technically accurate for credential-based attacks, but it has produced a dangerous false confidence.

The problem is not that the statistic is false. The problem is that the statistic is incomplete. MFA is extraordinarily effective against attacks that aim to obtain credentials. Kali365 attacks the session after authentication.

The Technical Nature of the “Bypass” That Is Not a Bypass

Saying that Kali365 “bypasses” MFA risks creating the impression that MFA has been circumvented, and that stronger MFA could solve the problem. The characterisation is technically inaccurate and strategically misleading.

In a Kali365 attack, the victim genuinely and legitimately completes authentication: they enter correct credentials, pass the MFA challenge, and explicitly authorize a device. From the perspective of the Microsoft authentication system, every step has been completed correctly. No protocol violation. No technical exploit. No bypass in the strict sense.

The problem lies in an architectural gap between authentication and device authorization. The model assumes that the user completing authentication will control the authorized device. Kali365 exploits the moment in which the user authorizes a device controlled by the operator. Once the token is legitimately issued, the system does not distinguish between use by the rightful owner and use by the operator. As the FBI notes, from Microsoft’s perspective a user has signed in, passed MFA, and started a normal session. The problem is not that authentication failed. The problem is that authentication alone is insufficient to guarantee session security.

The Supply Chain Attack Problem

The risk linked to supply chain attacks deserves particular attention for its multiplicative nature. Compromise of a vendor account, followed by contact harvesting of customers, enables lateral phishing in a high-trust context, leading to a cascade of compromises. The critical differentiator: the operator does not impersonate the vendor. The operator technically is the vendor, using a legitimate token and operating from the real account with no detectable spoofing.

The Broader Industrial Context

The OAuth-Based Threat Ecosystem

Kali365 is not an isolated phenomenon. The FBI advisory and reports from cybersecurity vendors explicitly mention “multiple platforms with similar capabilities.”

Other documented PhaaS platforms include:

• Storm-2372: focus on adversary-in-the-middle (AiTM) proxying
• VENOM: specialisation in silent MFA device registration
• EvilProxy: one of the first commercial AiTM platforms

This indicates a market trend, not an isolated product. OAuth-flow token theft is now a standardised and widely deployed technique.

Lessons from the Past: The Ransomware-as-a-Service Parallel

Kali365’s evolution mirrors the trajectory of ransomware over the last seven to eight years:

• 2015–2016: ransomware as the preserve of highly technical actors
• 2017–2018: emergence of RaaS (Ransomware-as-a-Service) platforms
• 2019–2020: full diffusion, explosion of attacks
• 2021–present: industrialisation with role specialisation (access brokers, negotiators, cash-out specialists)

The PhaaS trajectory now sits in phase 2–3, with Kali365 representing the moment of diffusion. The historical lesson suggests that the next 12–24 months will see:

• proliferation of Kali365 competitors and clones
• further specialisation (vertical platforms targeting specific sectors)
• exponential increase in attack volume
• regulatory pressure for new identity security standards

Mitigation Strategies: Beyond MFA

Next-Generation Technical Controls

Kali365 ranks among the most technically capable phishing threats currently in circulation. The countermeasures genuinely effective against this kit divide cleanly between obsolete solutions and next-generation approaches.

Choosing the right MFA

MFA is often considered the definitive solution against phishing. Kali365 has demonstrated that it is not. The difference lies in the type of MFA implemented.

Advanced Conditional Access

Modern Conditional Access policies move beyond the simple request for a second factor. Examples of policies effective against Kali365:

• Device compliance check: access permitted only from managed and compliant devices
• Trusted location enforcement: automatic block from unexpected countries or IP ranges
• Application-specific policies: different restrictions for high-risk applications
• Session frequency controls: forced reauthentication for sensitive sessions
• Risk-based access: step-up authentication when anomalies are detected

ITDR: Identity Threat Detection and Response

ITDR is an emerging category of security tools that monitor post-authentication behaviour. It is essential for detecting sessions compromised by Kali365.

Key ITDR capabilities:

• Token usage anomaly detection: access from impossible geolocations (travel velocity), simultaneous token usage from multiple locations, anomalous refresh token usage patterns
• Behavioural analytics: mailbox access with patterns inconsistent with historical behaviour, unusual activity hours for the user, sudden changes to inbox rules
• Lateral movement detection: mass harvesting of contacts from the Global Address List, sudden bulk email sending to internal contacts, enumeration of SharePoint/OneDrive resources
• Privilege escalation monitoring: attempts to access administrative resources from standard accounts, unauthorised changes to roles or permissions, access to sensitive shared mailboxes

Phishing Infrastructure Analysis

Analysis of 800 domains forming part of the infrastructure used by the Kali365 phishing kit provides meaningful insight into the operational methodologies adopted by the threat actors. The data highlights distribution patterns and social engineering strategies that deserve attention.

Top-Level Domain Distribution

Examining the distribution of top-level domains reveals significant concentration on three main extensions: .de (281 occurrences), .dev (221 occurrences), and .com (135 occurrences). The distribution represents over 94% of the sample across the top three TLDs.

The dominance of .de is particularly interesting from a threat analysis perspective. The preference can be traced to several strategic factors: the perception of trust associated with European national domains, potential cost advantages in registration, and possible targeting of users in the DACH region (Germany, Austria, Switzerland).

The notable presence of .dev deserves particular attention. Originally conceived for the developer community, the domain is exploited to give an appearance of technical legitimacy to malicious operations. Operators capitalise on the positive reputation of this TLD to lower victim suspicion.

The .com domain, traditionally the most widespread globally, maintains a significant but non-dominant presence. The pattern suggests a deliberate diversification strategy toward TLDs less commonly associated with phishing activity.

Abuse of Legitimate Cloud Platforms

The analysis of abused legitimate platforms presents a scenario of particular relevance to information security. Cloudflare Workers (workers.dev) emerges as the predominant vector, accounting for 85.8% of identified malicious URLs, with over 220 documented instances.

The marked preference for Cloudflare Workers can be attributed to several platform characteristics:

• Accessibility and deployment speed: the serverless platform allows content publication with minimal operational friction, eliminating the need to manage traditional server infrastructure.
• Credibility by association: workers.dev domains benefit from Cloudflare’s consolidated reputation as a security and CDN provider, reducing the probability of immediate suspicion by end users and filtering systems.
• Investigative complexity: the distributed, serverless architecture presents significant challenges for digital forensics and tracking of malicious operations.
• Economic sustainability: the platform’s pricing model, particularly in the free tier, allows operators to act with minimal financial investment.

Multi-Platform Ecosystem

While Cloudflare Workers dominates the landscape, the presence of other abused legitimate platforms reveals an operational diversification strategy:

• AWS (5.9%): use of Amazon services, presumably S3 and CloudFront, indicates exploitation of the most diffused enterprise cloud infrastructure.
• Windows/Azure (2.4%): the presence of Microsoft services suggests an attempt to create coherence with the phishing target, presumably Microsoft 365 credentials.
• GitHub (2.0%) and pages.dev (1.6%): legitimate static hosting platforms used to host phishing pages.

The multi-platform distribution serves several strategic goals: operational redundancy in case of takedown, evasion of single-source blocklist systems, and continuous testing of alternative vectors.

Semantic Domain Analysis

Examining recurring keywords in domain names reveals deliberate linguistic patterns targeting social engineering.

Reassurance terminology. The most frequent keywords, secure (31 occurrences), trust (30 occurrences), and auth (22 occurrences), represent a clear attempt to exploit psychological reassurance principles.

Sectoral naming patterns. The presence of terms such as share, sync, cloud, support, access, and mail indicates specific targeting of cloud productivity services and collaboration platforms. The nomenclature aims to simulate legitimate cloud storage and productivity suite services, create coherence with the Microsoft 365 ecosystem (the apparent primary target of the kit), and exploit user familiarity with common technical terminology.

Conclusions

Kali365 marks a turning point in cybersecurity. For $250, actors without advanced skill can now run attacks that, a year ago, were the exclusive preserve of APT groups. MFA, promoted for years as the definitive solution, is now necessary but no longer sufficient.

Analysis of the kit’s infrastructure reveals a particularly effective strategy: 85.8% of attacks abuse legitimate platforms like Cloudflare Workers, while seemingly trustworthy TLDs (.dev, .de) and reassuring keywords (secure, trust, auth) bypass both technical filters and user judgement.

The problem is twofold. Economically, an operator spends hundreds of dollars to cause damage in the millions. Technically, cloud systems are built on the assumption that if you authenticated once, you are trusted for the rest of the session. Operators no longer steal passwords. They steal the session after correct authentication.

Defence requires a radical change: not verifying identity only at the start, but continuously checking behavioural coherence. In practice:

• advanced behavioural analytics (UEBA) for real-time anomaly detection
• continuous controls over geolocation, device, hours, and resources
• a cultural shift that recognises the intrinsic untrustworthiness of even legitimate platforms

Cloud providers must evolve from passive vendors into active security partners, implementing more rigorous verification and optimised takedown procedures.

Kali365 marks a turning point in cybercrime: collapsed entry barriers, minimal costs, infrastructure supplied by legitimate providers, traditional defences systematically circumvented. Only the integration of Zero Trust architectures, shared threat intelligence, and deep cultural change will allow defenders to maintain an adequate posture against this new generation of industrialised threats.