LEGALAUDIT

Scam Watch

How can you recognize Kali365 PhaaS Kit Steals Microsoft 365 Access via OAuth Device Code Bypass?

TLDR

A new phishing as a service platform called Kali365 is making Microsoft 365 accounts easier to compromise. Sold via Telegram, it lets even non technical attackers capture OAuth tokens and bypass MFA entirely—no passwords stolen, no...

How it works

A new phishing as a service platform called Kali365 is making Microsoft 365 accounts easier to compromise. Sold via Telegram, it lets even non technical attackers capture OAuth tokens and bypass MFA entirely—no passwords stolen, no...

Red flags

  • Never enter device codes from unsolicited emails—Microsoft never sends verification codes via email
  • Review connected devices in your Microsoft account settings and remove any unrecognized sessions
  • If you receive a suspicious verification request, deny it and report it at ic3.gov This threat affects any Microsoft 365 user—pe

What to do

  1. 1Sold via Telegram, it lets even non technical attackers capture OAuth tokens and bypass MFA entirely—no passwords stolen, no credential interception needed.
  2. 2How the attack unfolds: You receive an email impersonating a trusted cloud service (Microsoft, Dropbox, etc.) containing a "device code" and instructions to verify on the real Microsoft login page.
  3. 3Three red flags to watch: Unexpected emails asking you to verify a "device code" or "authorization code" Urgency language to complete verification quickly Links directing you to Microsoft verification pages from third party emails Three actions to take now: 1.

Source

fbi-ic3

Source reviewed by Mythos Forensic Team

https://www.ic3.gov/PSA/2026/PSA260521

FAQ

Is Kali365 PhaaS Kit Steals Microsoft 365 Access via OAuth Device Code Bypass a real scam pattern?

Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.

What are the first warning signs?

Never enter device codes from unsolicited emails—Microsoft never sends verification codes via email; Review connected devices in your Microsoft account settings and remove any unrecognized sessions; If you receive a suspicious verification request, deny it and report it at ic3.gov This threat affects any Microsoft 365 user—pe

What should I do first?

Sold via Telegram, it lets even non technical attackers capture OAuth tokens and bypass MFA entirely—no passwords stolen, no credential interception needed.; How the attack unfolds: You receive an email impersonating a trusted cloud service (Microsoft, Dropbox, etc.) containing a "device code" and instructions to verify on the real Microsoft login page.; Three red flags to watch: Unexpected emails asking you to verify a "device code" or "authorization code" Urgency language to complete verification quickly Links directing you to Microsoft verification pages from third party emails Three actions to take now: 1.

Can LegalAudit check my case?

Yes. Start a free chat and paste the message, link, sender, or payment details for triage.