The FBI and Microsoft are warning organisations about a growing wave of Kali365 device-code phishing attacks targeting Microsoft 365 and Microsoft Entra ID environments.
Kali365 is a phishing-as-a-service framework designed to abuse Microsoft's legitimate OAuth Device Code Flow authentication process to steal OAuth access and refresh tokens. Unlike traditional phishing, users authenticate through genuine Microsoft login infrastructure, which means:
Once a tenant is compromised, attackers can maintain access across Exchange Online, Outlook, Microsoft Teams, OneDrive, SharePoint Online, and other connected Microsoft 365 services.
Researchers have observed attackers combining AI-generated lures, QR-code campaigns, voice phishing (vishing), and automated token harvesting infrastructure to improve success rates and evade conventional defences.
Because authentication happens through legitimate Microsoft infrastructure, most email security, endpoint protection, and MFA-based controls will not flag the activity as malicious.
Many Microsoft 365 organisations unknowingly leave Device Code Flow authentication broadly accessible across their tenant.
While Device Code Flow is a legitimate Microsoft authentication method commonly used for:
it is often unnecessary for standard workforce authentication scenarios.
Kali365 and similar phishing frameworks exploit this gap by convincing users to enter legitimate Microsoft authentication codes into Microsoft’s own verification process.
Once approved, attackers can:
Device Code Flow abuse is rapidly becoming one of the most commonly exploited Microsoft 365 authentication paths used in modern OAuth phishing campaigns.
Many organisations believe Conditional Access policies already restrict these authentication flows, however hidden exclusions, policy overlap, authentication edge cases, and configuration drift can still leave unintended authentication exposure.
Where operationally possible, organisations should disable or tightly restrict Device Code Flow authentication across their Microsoft 365 tenant.
This reduces exposure to OAuth phishing, token theft, session hijacking, and MFA bypass-style authentication abuse.
Overe includes a dedicated Harden control that automatically creates and manages a Conditional Access Policy in Microsoft Entra ID to block Device Code Flow sign-ins.
The control supports:
Overe automates the following across your managed tenants:
The following require MSP or customer review:
Some environments may still require Device Code Flow for Teams Rooms, kiosk systems, meeting room devices, digital signage, or other limited-input hardware. Overe supports intelligent scoped exclusions for these scenarios while reducing broader tenant exposure.
Many organisations assume Conditional Access policies fully restrict risky authentication methods across all authentication pathways.
In reality, hidden exclusions, policy overlap, authentication edge cases, and configuration drift can create unintended authentication exposure.
Overe Conditional Access Assurance (CAA) helps organisations validate whether intended authentication protections are consistently enforced across Microsoft 365 authentication flows, helping identify hidden gaps and bypass opportunities attackers may exploit.
