Cybersecurity experts are warning enterprise admins about an increasing number of phishing campaigns aimed at stealing Microsoft 365 (M365) access tokens to bypass multifactor authentication login protection.

Phishing kits aimed at capturing M365 tokens aren’t new; some reports say these kits have been around since 2021. One of the latest is EvilTokens, which researchers at Sekoia say has been circulating since February. And earlier this month, Microsoft also issued a warning about other adversary-in-the middle phishing schemes that steal authentication tokens, and, separately, about campaigns that exploit OAuth protocol functionality to manipulate URL redirection to bypass conventional phishing defenses.

Lowers the barrier to entry

But, said the US Federal Bureau of Investigation (FBI) in a warning last week, the new Kali365 phishing-as-a-service platform “lowers the barrier of entry, providing less technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities.”

It’s increasingly being leveraged by threat actors. On April 24, for example, security vendor Arctic Wolf said that it had detected a large-scale device code phishing campaign impacting organizations that was run by a threat actor using the Kali365 service. Four days later, researchers at Gurucul issued a similar warning, adding the new Kali365 kit “is rapidly becoming a preferred weapon” of threat actors. Both Kali365 and EvilTokens platforms trick employees into entering a code on a legitimate Microsoft login page that allows attackers to steal OAuth tokens.

But, Gurucul warned CSOs, “[Kali365] signals a shift toward highly professionalized attack models.” The researchers noted, “This is not just a single hacker working in isolation. Instead, it is a full-scale commercial operation. It is designed to lower the barrier for entry for criminals globally. By providing a ready-made infrastructure for deception, this kit places sophisticated capabilities in the hands of novice attackers.”

Move beyond MFA as a ‘checklist item’

CSOs should take the warnings as a reminder that phishing detection lessons are an essential part of security awareness training for all employees.

The FBI caution “[also] reminds us that multifactor authentication is no longer the single step that must be present for protection,” said Robert Beggs, CEO of Canadian incident response firm Digital Defence.

“Organizations have to move beyond having it as a ‘checklist item’ and instead focus on a defense in depth approach. Organizations have to block or tightly restrict Microsoft’s OAuth device code authentication flow using Conditional Access. Additional controls include revoking OAuth tokens proactively, monitoring for unauthorized device registrations, and monitoring to detect new or malicious inbox rules.”

Professional attack model

The Kali365 service provides templates, management dashboards, and integrated tools that lower the skill barrier for implementing large-scale attacks to the threat actor subscribing to it. Subscriptions start at $250 for 30 days and go up to $2,000 for 365 days.

Once signed up, Arctic Wolf said, Kali365 affiliates can rapidly generate branded phishing lures impersonating common enterprise services such as Adobe Acrobat Sign, DocuSign, and SharePoint. The service includes a modular lure‑generation system that allows threat actors to produce hundreds of distinct variants by mixing language localization, presentation layout, Microsoft‑ecosystem impersonations, and multiple document formats in English, Spanish, French, German, Portuguese, Italian, Dutch, Japanese, Korean, Chinese, Arabic, Turkish, Polish, and Russian.

Beggs noted that the use of AI generated phishing lures, assuming the AI has been properly trained against the client business and supplied with the correct cultural contexts, results in trustworthy-appearing documents that are difficult to identify and block in a large-scale attack.

Subscribers can take advantage of eight hard-coded email templates, with subject lines like “Voicemail from [with room for a name]”, “Signature Required,” “Invoice #INV,”, “Document Shared,” and “Account notification for [with room for an email address].”

Arctic Wolf said it has also seen cases where, after gaining initial access, the threat actor created malicious inbox rules within Microsoft 365, configuring rules that automatically moved emails containing keywords such as “spam,” “phish,” “click,” “link,” and “SharePoint” to a separate folder and marked them as read. This behavior effectively suppressed security-related notifications and warnings to the user, enabling the threat actor to maintain access while reducing the likelihood of detection.

In device code mode, victims are redirected to an obfuscated landing page that is designed to only render in a real browser session. Upon page load, the Kali365 backend dynamically generates a legitimate Microsoft OAuth device code.

According to the FBI, the attack then works like many other phishing scams: An attacker sends a phishing email with a message that includes a link to a legitimate Microsoft verification page, and instructions to enter the generated code. This code authorizes the attacker’s device to access the victim’s account. The Kali365 backend then captures OAuth access and refresh tokens, giving the threat actor access to the targeted individual’s/entity’s Microsoft 365 account, including Outlook, Teams, and OneDrive, until the compromise is detected and the tokens revoked. Using those tokens, the attacker doesn’t need to enter a password or complete any additional MFA challenges.

In some cases, Arctic Wolf added, following token acquisition, the threat actor would use the authenticated session to register an additional device within the victim’s Microsoft environment. This step extended access beyond the initial token by establishing a trusted device association tied to the compromised account.

Mitigation

In its alert, the FBI urged Microsoft 365 admins to restrict device code flow, since limiting or blocking device authentication codes can help prevent or minimize this style of attack. They should also create conditional access policies to block device code flow for all users, with limited exceptions for required business processes; audit existing device code flow usage to identify legitimate dependencies before creating a conditional access policy; and block authentication transfer policies to prevent users from transferring authentication from computers to mobile devices.

If an admin cannot completely restrict device code flow usage, the FBI says they should exclude emergency access accounts to prevent lockouts.

Christopher Kayser, CEO at Cybercrime Analytics and author of the book Cybercrime Through Social Engineering, said IT departments must find ways to reinforce to employees that they should not be quick to click on communications that seem unusual or potentially fraudulent. And it’s not just ordinary employees who can be hit by phishing scams, he pointed out. Higher levels of management with authority to transfer funds are targeted by business email compromise (BEC) scams.

Typically, he added, when signing into M365, users aren’t asked to input a code; they should be reminded that an email that asks for a code should be a red flag that triggers a call to the IT department.

Identity-centric security is key

Fritz Jean-Louis, principal cybersecurity advisor at Info-Tech Research Group, said defenders should shift to identity-centric security and treat phishing primarily as an identity compromise risk.

This not only means enforcing phishing-resistant MFA through passkeys or other FIDO2 approved login measures, but also strengthening session controls, and monitoring for anomalous authentication behavior, including token misuse and suspicious OAuth activity.

Admins should also adopt continuous access evaluation, moving beyond point-in-time authentication by dynamically assessing user and device risk throughout active sessions, enabling real-time response to evolving threats.

In addition, responders should leverage behavioral signals by measuring activity and encouraging users to report suspect behavior, and incorporating human telemetry, such reporting speed and interaction patterns, into detection strategies.

Jean-Louis said admins also need to reduce their organization’s blast radius by implementing stronger outbound monitoring, automated containment triggers, and tighter controls on account misuse, to limit lateral spread.

Finally, he recommended that admins segment high-risk users and functions by applying enhanced security controls and providing isolated environments for executives, finance, and privileged IT roles.