Security Experts Caution MFA Alone Can No Longer Stop Threat Actors

The rise of token‑stealing phishing marks a shift from traditional credential theft to sophisticated identity abuse. While MFA remains a cornerstone of security, attackers have turned to Microsoft’s OAuth device‑code flow, a legitimate authentication method, to harvest access and refresh tokens. Services like EvilTokens, circulating since 2021, and the newer Kali365 platform—marketed as a phishing‑as‑a‑service kit—automate the creation of convincing, AI‑driven lures in dozens of languages. By tricking users into entering a device code on a genuine Microsoft page, threat actors capture tokens that grant unfettered access to M365 services without ever prompting for a password or additional MFA factor.

Technical abuse of the device‑code flow is alarmingly efficient. Once the token is captured, attackers can read emails, download files, and even set malicious inbox rules that suppress security alerts, extending their foothold. Kali365 subscriptions start at $250 for a 30‑day trial and climb to $2,000 for a full year, making advanced capabilities affordable for low‑skill actors. The service bundles modular templates, real‑time dashboards, and AI‑generated documents that mimic corporate communications, dramatically lowering the barrier to launch large‑scale campaigns against enterprises worldwide.

Mitigation now requires a layered, identity‑centric approach. The FBI and Microsoft recommend blocking or tightly restricting the device‑code flow through Conditional Access policies, allowing exceptions only for verified business processes. Organizations should also implement proactive token revocation, monitor for anomalous OAuth activity, and enforce phishing‑resistant MFA such as passkeys or FIDO2. Continuous access evaluation—assessing risk throughout a session—and segmentation of high‑privilege accounts further limit blast radius. By moving beyond MFA as a checklist item and integrating these controls, enterprises can restore confidence in their cloud identity security posture.