Kali365, a phishing-as-a-service platform previously flagged by the FBI for bypassing Microsoft 365 MFA, has significantly expanded its targets to include AWS, Okta, Xerox DocuShare, and major Russian platforms such as MAX Messenger, Mail.ru, and Yandex. The platform exploits **device code phishing**, abusing OAuth 2.0 authentication workflows to capture access tokens after tricking victims into completing login steps on behalf of attackers — rendering MFA ineffective as a defence. Security researchers at Arctic Wolf identified 126 active malicious hosts in May 2026, highlighting Kali365's growing scale and the broader surge in device code phishing kits, of which at least 14 are now available to threat actors.
