Listen to this Post
Introduction:
The Kali365 Phishing-as-a-Service (PhaaS) campaign has rapidly evolved from a Microsoft Entra ID token stealer into a multi-platform threat, now targeting Okta, Xerox DocuShare, and Russia’s state-backed MAX Messenger. By weaponizing the legitimate OAuth 2.0 device authorization flow, Kali365 tricks users into granting attackers full access to their accounts, bypassing passwords and Multi-Factor Authentication (MFA) entirely, as the victim unknowingly authenticates the attacker’s session on an official login page.
Learning Objectives:
– Understand the device code phishing technique and how Kali365 abuses OAuth 2.0 flows to bypass MFA.
– Identify malicious infrastructure and Indicators of Compromise (IoCs) used in the campaign.
– Implement effective detection, mitigation, and response strategies across Microsoft Entra ID, Okta, and other platforms.
You Should Know:
1. Understanding the Device Code Phishing Attack Chain
Device code phishing exploits the OAuth 2.0 Device Authorization Grant (RFC 8628), a legitimate flow designed for input-constrained devices like smart TVs and printers. Kali365 automates this abuse, turning it into a powerful account takeover tool.
Step-by-step guide explaining what this does and how to use it:
The attack unfolds in six distinct phases, as observed by researchers:
1. Attacker Initiates Flow: The attacker uses Kali365 to generate a legitimate device code by sending a request to the `/devicecode` endpoint of a target service (e.g., Microsoft Entra ID).
2. Phishing Lure Delivery: The victim receives a convincing phishing email (e.g., fake payment confirmation, shared document alert) instructing them to visit a legitimate login URL, such as `https://microsoft.com/devicelogin`, and enter a provided code.
3. Victim Authentication: The victim, believing the prompt is legitimate, navigates to the real Microsoft login page, enters the code, and completes their standard authentication, including any MFA challenges.
4. Token Issuance: Microsoft’s identity platform issues an OAuth access token and a refresh token to the attacker’s pre-registered application.
5. Token Exfiltration: The Kali365 control panel polls its C2 server (e.g., `panel[.]securehubcloud[.]com`) every three seconds to detect the newly issued tokens and retrieves them.
6. Attacker Access: The attacker uses the stolen tokens to access the victim’s account (e.g., Outlook, Teams, OneDrive), maintaining persistent access without any further authentication prompts.
2. Detecting Kali365 Compromises via Log Analysis and SIEM Rules
Traditional security controls often miss device code phishing because it uses legitimate authentication paths. Detection relies on identifying anomalous patterns in authentication logs.
Step-by-step guide explaining what this does and how to use it:
Blue teams can hunt for indicators of compromise (IoCs) using SIEM queries, with particular focus on the `User-Agent` string.
PowerShell: Hunt for Device Code Authentication Events in Entra ID Audit Logs
Connect to Exchange Online and Security & Compliance Center
Connect-ExchangeOnline
Connect-IPPSSession
Search the Unified Audit Log for device code authentication activities
Search-UnifiedAuditLog -Operations "UserLoggedIn" -ResultSize 5000 | Where-Object {$_.AuditData -like "DeviceCode"}
Linux (Python): Check for Concurrent Sign-ins from Different User Agents
import requests
import json
Retrieve Entra ID sign-in logs via Microsoft Graph API (requires app registration)
url = "https://graph.microsoft.com/v1.0/auditLogs/signIns"
headers = {'Authorization': 'Bearer <access_token>'}
response = requests.get(url, headers=headers)
sign_ins = response.json()
for log in sign_ins.get('value', []):
client_app = log.get('clientAppUsed', 'N/A')
user_agent = log.get('userAgent', 'N/A')
Look for device code flow and suspicious user agents
if 'deviceCode' in client_app.lower() or 'python-requests' in user_agent.lower():
print(f"[bash] Suspicious sign-in: User: {log.get('userId')}, App: {client_app}, UA: {user_agent}")
You can also leverage the Kali365 default user agent `Kali365-Client/1.0` as a high-fidelity IoC when detected in your logs. Furthermore, Elastic Security provides pre-built detection rules, such as `Entra ID OAuth Device Code Flow with Concurrent Sign-ins`, which identifies a single session being used by both a browser (the victim) and a script (the attacker), a key indicator of device code phishing.
3. How to Mitigate: Blocking the Device Code Flow with Conditional Access
The single most effective mitigation against device code phishing is to disable the OAuth 2.0 device authorization grant flow in your identity provider, especially if it is not required for legitimate use cases within your organization.
Step-by-step guide explaining what this does and how to use it:
The following steps detail how to block the device code flow in Microsoft Entra ID. For Okta, similar controls exist to restrict the device authorization grant.
Microsoft Entra ID (via GUI):
1. Sign in to the Microsoft Entra admin center as a Conditional Access Administrator.
2. Navigate to Protection > Conditional Access > Policies.
3. Click + New policy.
4. Under Assignments > Users, select All users or specific target groups.
5. Under Target resources > Cloud apps, select All cloud apps.
6. Under Conditions > Authentication flows, check Device code flow.
7. Under Access controls > Grant, select Block access.
8. Set Enable policy to Report-only initially to monitor impact, then switch to On.
9. Click Create.
Microsoft Entra ID (via PowerShell):
Import required module
Import-Module AzureAD
Connect to Azure AD
Connect-AzureAD
Get the Authentication Flows Policy
$authFlowsPolicy = Get-AzureADPolicy -Id "AuthenticationFlowsPolicy"
Create a new policy to block device code flow
$policyDefinition = @{
"deviceCodeFlow" = @{
"enabled" = $false
}
} | ConvertTo-Json
$newPolicy = New-AzureADPolicy -Definition @($policyDefinition) -DisplayName "Block Device Code Flow" -Type "AuthenticationFlowsPolicy"
Write-Host "Device code flow has been successfully blocked." -ForegroundColor Green
After applying this policy, any attempt to use the device code flow will be denied by Entra ID, rendering the Kali365 attack chain ineffective.
4. Incident Response: Revoking Stolen Tokens and Securing Compromised Accounts
If a Kali365 compromise is suspected or confirmed, rapid response is crucial to prevent data exfiltration and lateral movement.
Step-by-step guide explaining what this does and how to use it:
1. Revoke Sessions: Immediately revoke all active sessions for the affected user. In Microsoft 365, an administrator can run the following PowerShell command:
Revoke-AzureADUserAllRefreshToken -ObjectId <user-principal-1ame>
This invalidates all refresh tokens, forcing the user and any attacker to re-authenticate.
2. Audit Mailbox Rules: Check for any malicious inbox rules that might be forwarding emails or hiding security alerts, a common post-compromise tactic used in these campaigns.
Get-InboxRule -Mailbox <user-email> | Format-List Name, Description, ForwardTo
3. Review OAuth Applications: Audit consented OAuth applications for any malicious or unknown entries. In the Entra admin center, go to Identity > Applications > Enterprise applications and remove any suspicious apps consented by the user.
4. Reset Credentials: While the primary attack vector was token theft, it is a best practice to have the user reset their password and re-register their MFA methods to ensure no backdoor remains.
5. Hardening Okta Environments Against PhaaS Attacks
With Kali365 expanding its targeting to Okta SSO, administrators must adopt phishing-resistant MFA methods to defend against these adversary-in-the-middle (AitM) and device code phishing techniques.
Step-by-step guide explaining what this does and how to use it:
The most effective defense is to replace weak MFA factors (SMS, voice, OTP) with phishing-resistant authenticators.
Okta Hardening Steps:
1. Enforce Okta FastPass: FastPass combines device trust with biometric verification, making it immune to phishing attacks as it never shares a verifiable credential with a fraudulent site.
2. Deploy FIDO2 Security Keys: Mandate the use of hardware security keys for all administrative and privileged users. FIDO2 is inherently phishing-resistant due to its origin-bound credentials.
3. Configure Global Session Policy: Restrict the device code grant flow in your Okta authorization server if it is not needed. In the Admin Console, navigate to Security > API > Authorization Servers, select the default server, and under Access Policies, create a rule that denies access for the `device_sso` scope for untrusted devices or locations.
4. Monitor Okta System Log: Continuously monitor the Okta System Log for events with the `device_sso` grant type, flagging them for review as they could indicate a device code phishing attempt. Also, look for alerts for `Multiple Device Token Hashes for Single Okta Session`, which may signal session hijacking.
What Undercode Say:
– Key Takeaway 1: Kali365 represents a paradigm shift in phishing, moving from credential theft to token theft by abusing legitimate authentication flows, effectively rendering traditional MFA and secure email gateways (SEGs) obsolete against such attacks.
– Key Takeaway 2: The successful mitigation of device code phishing depends on proactive identity hardening by disabling unnecessary flows (like OAuth device code grant) and adopting phishing-resistant MFA, rather than relying on user awareness alone, as the attack exploits trust in official domains.
Analysis: The rapid expansion of the Kali365 PhaaS platform from a single Microsoft token stealer into a multi-brand operation targeting Okta, AWS, and Russian services demonstrates the commoditization and scalability of advanced phishing techniques. By integrating AI-generated lures, automated infrastructure, and real-time dashboards, the threat actors have significantly lowered the barrier to entry, enabling even low-skill cybercriminals to launch complex, MFA-bypassing campaigns. This underscores a critical industry failure: the widespread misconfiguration of default-enabled OAuth flows and an over-reliance on MFA as an infallible security control. Organizations can no longer afford a “set and forget” security posture; they must adopt a continuous identity security program focused on hardening authentication policies, improving threat detection, and shifting towards phishing-resistant credentials.
Prediction:
– -1 As PhaaS platforms like Kali365 continue to evolve, we predict a surge in targeted attacks against SSO providers like Okta and cloud collaboration tools. Threat actors will increasingly use automation to rapidly pivot across compromised tenants and move laterally, leading to larger-scale data breaches and ransomware incidents.
– -1 The “assumed breach” mindset will become table stakes. Organizations that fail to disable vulnerable OAuth flows or implement continuous identity monitoring will face inevitable account compromises, as the attack surface shifts from endpoint malware to identity-layer abuse.
– +1 In response to this threat, we anticipate accelerated adoption of passwordless, phishing-resistant MFA (e.g., FIDO2 passkeys) and Conditional Access policies as core security standards. The industry will also see innovation in identity threat detection and response (ITDR) solutions designed specifically to combat token-based and OAuth flow abuse, ultimately creating a more resilient authentication ecosystem against these advanced adversarial tactics.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Varshu25 Kali365](https://www.linkedin.com/posts/varshu25_kali365-phishing-as-a-service-campaign-broadens-share-7468604584685645824-AfnF/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
