← BACK TO FEED
phishingdevice code phishingOAuthMFA bypassthreat intelligence

Kali365 Phishing Kit Graduates From Microsoft Nuisance to Multi-Platform Menace

Kali365, a phishing-as-a-service platform previously flagged by the FBI for bypassing Microsoft 365 MFA, has significantly expanded its targets to include AWS, Okta, Xerox DocuShare, and major Russian platforms such as MAX Messenger, Mail.ru, and Yandex. The platform exploits **device code phishing**, abusing OAuth 2.0 authentication workflows to capture access tokens after tricking victims into completing login steps on behalf of attackers — rendering MFA ineffective as a defence. Security researchers at Arctic Wolf identified 126 active malicious hosts in May 2026, highlighting Kali365's growing scale and the broader surge in device code phishing kits, of which at least 14 are now available to threat actors.

The phishing-as-a-service platform Kali365 has had a busy few months. Once known primarily for helping less-skilled attackers harvest Microsoft 365 tokens and sidestep MFA, it has quietly expanded into something considerably more dangerous.

According to research published this week by Arctic Wolf, the platform now targets AWS, Okta, Xerox DocuShare, and a clutch of Russian consumer services including Mail.ru, Yandex Disk, and Odnoklassniki. The most eyebrow-raising addition is MAX Messenger, a Russian state-backed messaging app with over 80 million users that Moscow has been actively promoting as its homegrown national messaging service.

That last target is worth pausing on. A phishing operation that can compromise MAX accounts at scale has a direct line into one of the largest Russian-language communication networks in existence. Arctic Wolf noted that account takeovers on MAX could enable propagation across that entire user base. That is not a trivial capability.

Kali365 runs on device code phishing, a technique that is deceptively simple and annoyingly effective. The attack exploits OAuth 2.0's device authorization flow, the same mechanism that lets you log into Netflix on a smart TV by typing a code into your phone. Attackers generate a legitimate-looking device code, then trick a victim into entering it via a phishing email dressed up as a shared OneDrive document or a security alert. The victim authenticates normally, completes any MFA prompt, and in doing so hands the attacker a valid access token. No credentials stolen. No MFA bypassed. The victim just did all the work themselves.

This is why the FBI issued a public warning about Kali365 last month. The bureau highlighted the platform's AI-generated phishing lures, automated campaign templates, real-time tracking dashboards, and OAuth token capture. In short, it has industrialised an attack that used to require genuine technical skill.

Arctic Wolf's researchers traced the platform's live command-and-control infrastructure and identified 126 active malicious hosts operating between early and late May, all running the same kit. The impersonated brands span Microsoft Outlook, Microsoft Live, Okta SSO, GMX, and Amazon Web Services naming conventions, alongside the Russian platforms. That breadth signals a deliberate shift away from being a Microsoft-specialist tool toward something that can go after enterprise identities almost anywhere.

Kali365 is not alone in this space. Push Security recently reported a sharp spike in device code phishing activity, with at least 14 such kits now circulating. Some are existing phishing-as-a-service operations bolting on device code functionality; others are built from scratch with it as the core feature. Tycoon2FA, Venom, and CYB3R are among the others currently tracked.

The defensive problem here is awkward. The obvious fix, blocking device code logins entirely, would cause genuine disruption in many environments where developers and technical users depend on the flow. Some platforms do not even offer the controls needed to restrict it. Security teams are essentially being asked to mitigate an attack that exploits legitimate authentication infrastructure, using tools that often do not exist yet.

Security awareness training is the standard recommendation, and it applies here, but it only goes so far when the phishing lures are AI-generated and the login pages are genuine.