Kali365 Unmasked: Why MFA Is Dead and How Attackers Are Walking Straight Into Your Microsoft 365 Tenant + Video

By /

Listen to this Post

Featured Image

Introduction:

The employee did everything right. They received an email, clicked a legitimate-looking link, landed on a real Microsoft login page, and completed multi-factor authentication (MFA). Yet hours later, an attacker was reading their emails, accessing sensitive files, and moving laterally through the business. This isn’t a failure of security awareness—it’s the new reality of identity-based attacks. Kali365, a phishing-as-a-service (PhaaS) platform first observed in April 2026 and flagged by the FBI, has industrialized the bypass of MFA by stealing OAuth tokens and session cookies rather than passwords, rendering traditional authentication controls obsolete. For Managed Service Providers (MSPs) protecting multiple tenants, the threat is amplified: attackers don’t need to break in—they just need to be invited.

Learning Objectives:

  • Understand how Kali365’s device code phishing and AiTM “Cookie Link” modes bypass MFA without stealing credentials
  • Learn to detect token theft and session replay attacks using Microsoft Entra ID sign-in logs and Conditional Access policies
  • Implement technical mitigations including blocking device code flow, auditing authentication transfers, and deploying phishing-resistant authentication
  1. The Death of the Click: Why Traditional Phishing Defenses Fail

For years, security training hammered one message into employees: check the sender address, look for typos, and never give away your password. Kali365 renders this advice obsolete. The platform doesn’t steal passwords—it steals what actually matters: active session tokens.

When a Kali365 attack unfolds, the victim never encounters a fake login page. Instead, the attacker positions a malicious server as a proxy between the employee and the legitimate Microsoft 365 service. The user logs in through the proxy, completes MFA, and the real server issues an active session token—which the proxy intercepts. With that token, the attacker drops it into a browser and instantly assumes the employee’s identity, gaining unrestricted access to internal communications, source code, and cloud databases.

The attack chain is deceptively simple:

  1. Lure: An AI-generated phishing email impersonates a trusted service like Adobe Acrobat Sign, DocuSign, or SharePoint
  2. Authorization: The victim navigates to Microsoft’s real device-login page and enters an attacker-generated code
  3. Token Theft: The attacker captures OAuth access and refresh tokens
  4. Persistence: The attacker accesses Outlook, Teams, and OneDrive without a password or additional MFA challenges

What makes Kali365 particularly dangerous is its accessibility. For $250 per month, paid in cryptocurrency, even low-skilled attackers gain access to AI-generated phishing lures, automated campaign templates, real-time victim tracking dashboards, and OAuth token capture capabilities.

  1. Kali365’s Two Attack Modes: Device Code Phishing and Cookie Link

Kali365 offers two distinct attack modes, both designed to achieve the same outcome: persistent, password-free access to Microsoft 365 environments.

Device Code Phishing exploits Microsoft’s legitimate OAuth 2.0 Device Authorization Grant flow—a feature originally designed for input-limited devices like smart TVs, printers, and IoT hardware. The attacker initiates the device authorization process to generate a code, then tricks the target into entering it on Microsoft’s real device-login page. When the victim completes MFA, Microsoft issues an OAuth access token that grants the attacker full access without requiring any further authentication. The refresh token can keep attackers inside the environment indefinitely.

Cookie Link (AiTM Mode) is the stealthier, more advanced variant. Kali365 provisions a dedicated Cloudflare Worker that functions as a transparent reverse proxy. When the victim clicks the phishing link, their entire browser session routes through the attacker’s infrastructure. The proxy forwards requests to the real Microsoft login page and beams responses back to the victim, who authenticates normally. Session cookies and related artifacts are captured during this process and stored in the Kali365 attacker panel. Attackers can then generate scripts to replay those sessions in their own environment, effectively borrowing the genuine user’s session.

Post-compromise behavior is automated and stealthy. Attackers create inbox rules to suppress security alerts and can register new devices in the victim’s environment, extending their foothold beyond the initial token.

  1. Detecting Token Theft and Session Replay in Microsoft Entra ID

Traditional security tools operate in silos—email tools see the email, identity tools see the login, and endpoint tools see the device. The attacker sees the whole picture. To detect Kali365-style attacks, security teams must look for behavioral anomalies across the authentication lifecycle.

Key Detection Techniques:

Query Entra ID sign-in logs for token replay indicators. Look for non-interactive sign-ins to SharePoint Online via the Microsoft Authentication Broker application using a refresh token or Primary Refresh Token (PRT)—this may indicate token replay attacks or OAuth abuse. Detect cases where a user signs in and subsequently accesses Microsoft Graph from a different IP address using the same session ID within a short time window.

Azure CLI Command to Query Sign-in Logs:

az monitor activity-log list --resource-group <resource-group> --query "[?contains(operationName.value, 'Sign-in')]"

PowerShell – Query Entra ID Sign-in Logs for Suspicious Activity:

Connect-MgGraph -Scopes "AuditLog.Read.All"
Get-MgAuditLogSignIn -Filter "appDisplayName eq 'Microsoft Authentication Broker'" | 
Where-Object {$_.AuthenticationRequirement -eq 'singleFactorAuthentication'} |
Select-Object UserPrincipalName, IpAddress, ClientAppUsed, AuthenticationRequirement, CreatedDateTime

Enable Token Protection (Preview) in Microsoft Entra ID to bind tokens to the device they were issued on, making token replay significantly harder.

Configure Entra ID Identity Protection alerts for device code phishing and risky sign-in behaviors.

KQL Query for Token Replay Detection (Microsoft Sentinel):

SigninLogs
| where AuthenticationRequirement == "singleFactorAuthentication"
| where ClientAppUsed == "Browser"
| where ResourceDisplayName == "Microsoft Graph"
| summarize SignInCount = count(), IPs = make_set(IPAddress) by UserPrincipalName, SessionId
| where array_length(IPs) > 1
| project UserPrincipalName, SessionId, IPs, SignInCount
  1. Blocking Device Code Flow: The Most Direct Mitigation

The FBI’s primary recommendation is to restrict or completely block device code authentication flows using Conditional Access policies. If the flow is blocked, no device code can be redeemed and no access token can be issued, regardless of how convincing the phishing lure is.

Step-by-Step: Block Device Code Flow via Microsoft Entra Admin Center

  1. Sign in to the Microsoft Entra admin center as a Conditional Access Administrator
  2. Navigate to Protection > Conditional Access > Policies

3. Select + New policy

  1. Under Users, select All users (or create an exception group for legitimate dependencies)
  2. Under Target resources > Cloud apps, select All cloud apps
  3. Under Conditions > Authentication flows, check Device code flow and set to Block
  4. Under Access controls > Grant, select Block access

8. Enable the policy and select Create

PowerShell – Create Conditional Access Policy to Block Device Code Flow:

Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
$params = @{
displayName = "Block Device Code Flow"
state = "enabled"
conditions = @{
users = @{
includeUsers = @("all")
}
applications = @{
includeApplications = @("all")
}
authenticationFlows = @{
includeAuthenticationFlows = @("deviceCode")
}
}
grantControls = @{
operator = "OR"
builtInControls = @("block")
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $params

Critical Pre-Implementation Steps:

  • Audit existing device code flow usage to identify legitimate dependencies before creating the policy
  • Exclude emergency access accounts to prevent lockouts
  • Block authentication transfer policies to prevent users from transferring authentication from computers to mobile devices

Testing Device Code Flow Block:

 This command will fail if the policy is correctly applied
Connect-Entra -UseDeviceCode
 Expected result: Access denied due to Conditional Access policy

5. Phishing-Resistant Authentication and Zero-Trust Identity

MFA alone is no longer sufficient protection against phishing. Organizations must transition to phishing-resistant authentication methods such as FIDO2 passkeys, which are immune to AiTM proxy attacks because the authentication challenge is bound to the specific session and cannot be proxied.

Deploy FIDO2 Security Keys in Microsoft Entra ID:

  1. Navigate to Microsoft Entra admin center > Protection > Authentication methods > Policies

2. Select FIDO2 security keys

  1. Set Enable to Yes and select target users

4. Configure Key restrictions (allow only FIDO2-compliant keys)

Azure CLI – Enable FIDO2 Authentication:

az rest --method PATCH --uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/FIDO2" --body '{"@odata.type":"microsoft.graph.fido2AuthenticationMethodConfiguration","state":"enabled","isAttestationEnforced":true}'

Implement Conditional Access Policies for Phishing-Resistant Auth:

  • Require phishing-resistant authentication for all privileged roles
  • Require hybrid-joined or compliant devices for access to sensitive applications
  • Implement Continuous Access Evaluation (CAE) to instantly revoke access when risk is detected

Monitor for Authentication Transfer Attempts:

 Query for authentication transfer events
Get-MgAuditLogSignIn -Filter "AuthenticationRequirement eq 'multiFactorAuthentication'" |
Where-Object {$_.DeviceDetail.OperatingSystem -match "iOS|Android"} |
Select-Object UserPrincipalName, AppDisplayName, DeviceDetail, CreatedDateTime

6. Unified Defense: Connecting the Dots Across Silos

Modern attacks don’t live in one system, and neither should defenses. Email tools see the email, identity tools see the login, endpoint tools see the device, and data tools see the data—but the attacker sees the whole picture. MSPs need a unified data fabric that connects signals across email, identity, endpoint, and cloud activity, turning disconnected events into actionable detection and response.

Key Components of Unified Defense:

  • Identity-Centric Detection: Correlate signals across vectors—stolen credentials remain among the top entry points for breaches
  • Attack Chain Correlation: Link identity signals with endpoint and security data to reveal full attack paths
  • Cross-Domain Context: Enrich investigations with telemetry across endpoints, identity activity, email, networks, cloud, and productivity environments
  • Automated Incident Summaries: Generate human-readable insights for faster investigation and response

Linux Command – Monitor for Suspicious Authentication Patterns (using jq):

 Parse Entra ID sign-in logs (exported as JSON) for token replay indicators
cat entra_signin_logs.json | jq '.value[] | select(.authenticationRequirement == "singleFactorAuthentication" and .clientAppUsed == "Browser") | {user: .userPrincipalName, ip: .ipAddress, sessionId: .sessionId, time: .createdDateTime}'

Windows Command – Query Event Logs for Suspicious Logins:

 Check for logins from unusual locations or at unusual times
Get-WinEvent -LogName Security | Where-Object { $<em>.Id -eq 4624 -and $</em>.TimeCreated -gt (Get-Date).AddHours(-24) } | ForEach-Object { 
$<em>.Properties | Select-Object @{N='User';E={$</em>.Value}} 
}

What Undercode Say:

  • The click is no longer the problem. Kali365 demonstrates that users can do everything right—click a legitimate link, authenticate with MFA, and still get compromised. The real damage happens after MFA passes, when one authenticated session becomes lateral movement.

  • Siloed security tools are failing. Email tools see the email, identity tools see the login, and endpoint tools see the device—but the attacker sees the whole picture. MSPs need unified visibility that correlates signals across vectors to detect attacks that span multiple systems.

Analysis: Kali365 represents a fundamental shift in the threat landscape. The platform has industrialized what was once a sophisticated, resource-intensive attack technique, making it accessible to any attacker willing to pay $250 per month. The FBI’s public warning and the platform’s subsequent “shutdown” (which was theater—operations continued under rebranded names) highlight the challenge defenders face. The threat is compounded by Kali365’s expansion beyond Microsoft 365 to target Okta, MAX Messenger, and other platforms. For MSPs, the implications are clear: protecting client environments requires a shift from password-centric and MFA-centric controls to identity-centric, behavioral detection that can identify and respond to token theft and session replay in real time. The days of relying on MFA as a silver bullet are over.

Prediction:

  • +1 Kali365’s success will accelerate the adoption of phishing-resistant authentication methods like FIDO2 passkeys across enterprise and MSP-managed environments, reducing the attack surface for token theft attacks.

  • -1 The PhaaS model demonstrated by Kali365 will proliferate, with more threat actors offering turnkey token-theft kits at increasingly lower prices, expanding the pool of attackers capable of executing sophisticated AiTM attacks.

  • -1 Organizations that fail to block device code flow and implement behavioral detection will experience a significant increase in account takeovers, as attackers shift their focus from password theft to session token theft.

  • +1 The rise of token theft will drive consolidation in the security market, forcing vendors to deliver unified platforms that correlate identity, endpoint, email, and cloud signals—benefiting MSPs who adopt integrated security architectures.

  • -1 Kali365’s expansion to target Okta and other identity providers indicates that token theft attacks will become platform-agnostic, forcing organizations to extend defenses beyond Microsoft 365 to all federated identity systems.

▶️ Related Video (74% Match):

https://www.youtube.com/watch?v=1CNVuleD8d0

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Dor Eisner – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: