M365 Phishing: How Kali365 and EvilTokens Bypass MFA Without Passwords

Two emerging Phishing-as-a-Service (PhaaS) platforms are leveraging device code phishing and OAuth consent abuse to hijack Microsoft 365 tokens, effectively ne…

M365 Phishing: How Kali365 and EvilTokens Bypass MFA Without Passwords

The FBI has issued a warning regarding Kali365, a platform active since April 2026 that enables even non-technical attackers to compromise Microsoft 365 accounts without ever touching a password. The mechanism—device code phishing—tricks victims into entering a code on a legitimate Microsoft page, unknowingly granting attackers access to Outlook, Teams, and OneDrive. Simultaneously, the EvilTokens platform has compromised over 340 organizations across five weeks by exploiting OAuth consent abuse, signaling that multi-factor authentication (MFA) bypass has evolved into a structured commercial service.

Key Takeaways
  • Kali365, a Phishing-as-a-Service platform identified by the FBI in April 2026, automates OAuth token capture through legitimate Microsoft authentication flows.
  • EvilTokens compromised over 340 M365 organizations in five weeks starting in February 2026, operating across at least five countries.
  • Both platforms bypass MFA structurally: because the token is generated from a legitimate flow, it typically fails to trigger anomalous sign-in alerts in traditional SIEMs.
  • The issued refresh tokens survive password resets and remain valid for weeks or months until explicitly revoked or addressed via tenant policies.

Weaponizing Legitimacy: How Kali365 Exploits Authentication

Distributed via Telegram channels, the Kali365 platform significantly lowers the barrier to entry for advanced phishing. According to the FBI warning reported by Help Net Security, it provides "AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities." The attack begins with an email containing a numerical code and instructions to visit microsoft.com/devicelogin—a genuine Microsoft domain.

Believing they are completing a standard verification procedure, the victim enters the code and authorizes the attacker’s device. The attacker then receives access and refresh tokens scoped for M365 services. This process requires neither credential theft nor the compromise of Microsoft’s infrastructure. The operational risk stems from the legitimacy of the flow: the user authenticates correctly, completes MFA if prompted, and the resulting token is technically valid.

EvilTokens and the Hidden Danger of Consent

The EvilTokens campaign, analyzed by The Hacker News, exemplifies a complementary vector: OAuth consent phishing. Victims receive a link, authenticate on a legitimate Microsoft domain, complete MFA, and then click an "Accept" button that authorizes a malicious application. The acquired refresh token allows persistent access to mailboxes, drives, calendars, and contacts.

Technical analysis highlights a critical issue: the language used in OAuth scopes fails to communicate effective risk. Phrases like "Read your mail" or "Access files when you're not present" are technically accurate but operationally opaque to the average user, who may not associate these permissions with a permanent account compromise. The Hacker News reports that "rotating the password did not invalidate the grant": only explicit revocation or a conditional access policy requiring re-consent successfully terminated the access.

Beyond MFA: The Invisible OAuth Perimeter

"The operator never needed a password, never tripped an MFA prompt, and never produced a sign-in event that looked like an intrusion."

This quote from the EvilTokens campaign defines the structural problem. Multi-factor authentication verifies the user's identity, but it does not verify the intentionality of the consent granted after authentication. As noted by The Hacker News: "MFA cannot block it because MFA has already happened." The refreshable token operates beneath the level of control that most organizations still consider their primary perimeter.

The consequences are tangible. A valid refresh token provides persistent access regardless of credential changes. Traditional SIEM logs, configured to detect anomalous sign-ins, reused passwords, or suspicious geolocations, often fail to flag the activity because the token was issued correctly by Microsoft following a legitimate authentication event. The attacker functions within an authorization flow that the cloud architecture views as valid.

Strategic Response: Securing the Authorization Layer

Countermeasures must shift focus from monitoring authentication to controlling authorization. Four priority actions include:

  • Continuous OAuth Grant Audits: Identify and revoke applications with suspicious scopes (e.g., mailboxes, OneDrive, calendars). Many tenants harbor active consents that have gone unverified for years.
  • Forced Re-consent Policies: Implement conditional access policies that require periodic re-authorization of applications, narrowing the window of persistence for stolen tokens.
  • M365 App Permission Inventory: Maintain a documented inventory of third-party applications and their authorized scopes; discrepancies between the inventory and actual state are often early indicators of compromise.
  • Token-Based Monitoring: Integrate SOC workflows that correlate token issuance with anomalous API usage patterns, rather than relying solely on sign-in events.

User training must also evolve. The message is no longer just "don't enter your password on suspicious sites," but "never enter a code received via email, even on microsoft.com." This shift is subtle but decisive: a legitimate domain no longer guarantees the legitimacy of the outcome.

Phishing Has Moved Beneath Existing Controls

As The Hacker News observes: "The phishing click that mattered last decade handed over a password. The phishing click that matters now hands over a refresh token, and it sits structurally below the identity controls most organizations still treat as the perimeter." This summarizes the paradigm shift. Defenses built around credentials and MFA address a problem that commercial phishing has already bypassed.

The availability of platforms like Kali365 and EvilTokens indicates a maturing criminal economy where MFA bypass no longer requires advanced technical skills, only a subscription. The data—340 organizations compromised in five weeks—suggests a level of scalability that traditional reactive defenses cannot match. The interval between compromise and detection widens when the attack vector is indistinguishable from legitimate traffic.

Organizations that have not yet mapped active OAuth grants within their tenants are operating with an invisible perimeter that may have already been breached. The question is no longer whether these campaigns will arrive, but whether current controls are even capable of registering their presence.

Information verified against cited sources and current as of publication.

Sources