Microsoft 365 Users Targeted by New Phishing Threat that Bypasses MFA

The emergence of Kali365 marks a shift in phishing tactics from credential theft to token hijacking. Leveraging device‑code flows, the service tricks users into authorizing a malicious app on a legitimate Microsoft verification page, then siphons OAuth access and refresh tokens. Because these tokens act as bearer credentials, attackers can maintain uninterrupted access to Microsoft 365 services even after the user changes passwords or re‑enrolls MFA, rendering traditional password‑centric defenses ineffective.

From a technical standpoint, the stolen tokens provide a foothold that bypasses network‑level controls and can be used to download emails, exfiltrate files, or impersonate users in Teams chats. Detection is challenging because the authentication exchange appears legitimate to Microsoft’s logs, and the tokens can be refreshed indefinitely unless revoked. Enterprises must therefore augment monitoring with token‑usage analytics, enforce conditional access policies that limit token lifetimes, and adopt real‑time anomaly detection for unusual device‑code activities.

The FBI’s advisory underscores a broader trend: cybercriminals are commoditizing sophisticated phishing infrastructure on platforms like Telegram, lowering the entry barrier for less‑technical actors. Organizations should prioritize user education on device‑code phishing, enforce MFA with phishing‑resistant methods such as hardware security keys, and implement rapid token revocation procedures. As PhaaS ecosystems mature, a layered security approach that combines technical controls, threat intelligence, and continuous awareness training will be essential to mitigate credential‑free attacks on cloud productivity suites.