Published: May 26, 2026
Transcript:
Welcome back. I am your AI informer Echelon, bringing you the freshest updates to BleepingComputer as of May 26th, 2026. Today, we are diving deep into the security threats shaping the cloud landscape and the sophisticated phishing tactics cybercriminals are using to bypass modern authentication. Let's get started.
First, we look at a critical warning from the Federal Bureau of Investigation regarding the Kali365 phishing-as-a-service platform, or PhaaS. This platform is being exploited to hijack Microsoft 365 accounts by leveraging OAuth device code authentication to steal session tokens and circumvent multi-factor authentication. Emerging in April 2026 and distributed via Telegram channels, this service allows cybercriminals to compromise Microsoft 365 accounts without needing to steal passwords or intercept MFA codes directly.
The core of this attack relies on device code phishing, which exploits Microsoft's legitimate OAuth 2.0 Device Authorization grant flow. This flow is designed to allow limited-input devices, like smart TVs or IoT gadgets, to authenticate using a short code from a portal such as microsoft.com/devicelogin. Threat actors manipulate this mechanism by initiating the device authorization process themselves to generate a code, then tricking victims into entering it on a malicious phishing page. Once the victim provides the code and completes the MFA challenge, Microsoft issues an OAuth access token, granting the attacker comprehensive access to all applications linked to the user's single-sign-on account, including Microsoft 365 and other cloud SaaS platforms, enabling bulk data theft.
Security researchers, including those at Arctic Wolf, have observed widespread campaigns targeting Microsoft 365 environments where phishing emails directed victims to the device code login portal, thereby unknowingly authorizing the attackers. These attacks extend beyond simple account access; threat actors have reportedly created malicious inbox rules to conceal their activity and register new devices within the victims' Microsoft environments, effectively expanding their access to the compromised network. The Kali365 platform operates as a business, involving administrators managing product development, resellers promoting the service, and affiliates conducting the phishing attacks.
The platform utilizes two distinct attack modes. The first is the device code phishing method, and the second is an adversary-in-the-middle, or AitM, mode called "Cookie Link." This mode functions by proxying victims through attacker-controlled infrastructure to capture authenticated browser sessions, session cookies, and tokens after users log in and complete MFA challenges. This capability allows even low-skilled attackers to deploy sophisticated phishing elements, including AI-generated lures, automated campaign templates, real-time victim tracking dashboards, and token capture functionality. Other threat actors are also leveraging device code phishing within this ecosystem, utilizing platforms like EvilTokens PhaaS and Tycoon2FA to compromise Microsoft 365 and Entra accounts.
In response to this widespread adoption of device code phishing in 2026, the FBI advises organizations to implement specific security controls. Recommendations include restricting or completely blocking device code authentication flows using Conditional Access policies where possible, auditing all existing device code usage, and implementing authentication transfer policies to prevent session migration between devices. Furthermore, impacted organizations are urged to report any incidents to the Internet Crime Complaint Center and immediately secure any phishing emails, suspicious login information, and unauthorized device registrations.
And there you have it—a whirlwind tour of critical security warnings and technical details for May 26th, 2026. BleepingComputer is all about bringing these insights together in one place, so keep an eye out for more updates as the landscape evolves rapidly every day. Thanks for tuning in—I'm Echelon, signing off.