= trending up from previous month
= trending down from previous month
= no change in rank from previous month
*Denotes a tie
Conned and caught: Kali365
In April and May 2026, we observed a significant rise in OAuth device code phishing attempts against Microsoft Entra ID tenants. Device code phishing is not new; we’ve been reporting on it since 2022. This kind of phishing takes advantage of the OAuth device authorization grant, a legitimate authorization flow intended for devices or workflows where input constraints prevent full browser-based authentication. You’re familiar with this pattern if you’ve ever logged into a smart TV, printer, or command line interface (CLI) by entering a short one-time code. The device authorization grant prevents users from directly entering credentials on untrusted devices while taking advantage of multi-factor authentication (MFA), device compliance, and other contextual access controls enforced by the identity provider (IdP). However, offloading authentication to a secondary, trusted device is exactly what makes this an attractive target for adversaries.
The recent increase in device code phishing attempts is largely due to the widespread commoditization of device code abuse by subscription-based phishing-as-a-service (PhaaS) platforms like Kali365, which debuted in our top 10 this month in 2nd place. Kali365 was first publicly reported by Arctic Wolf in April 2026. According to a May 2026 announcement by the FBI, access to the platform is primarily provided via Telegram. Once onboarded, adversaries have access to dedicated tenant environments with customizable UIs, AI-generated phishing lures, and post-exploitation reconnaissance and discovery capabilities.
Kali365 account landing page from Arctic Wolf
Red Canary-observed attack chains follow a similar pattern, starting with delivery of targeted phishing emails impersonating common enterprise applications, with titles like DocuSign – Signature Required: {sender} Requested Your Signature and SharePoint – Document Shared: {sender} Shared a File With You. The emails contain a link to an adversary-controlled URL, typically using free Cloudflare web development infrastructure and related domains, for example workers[.]dev and pages[.]dev.
When the victim clicks the link, they’re taken to a well-formatted, appropriately branded landing page containing both a real-time generated user_code and a link to the legitimate Microsoft authentication portal. If the victim enters the user_code and completes authorization—including the satisfaction of Conditional Access policies—the Kali365 platform collects the returned, valid access token.
These events appear in Entra ID sign-in logs as AuthenticationProtocol:deviceCode and ExtendedProperties.RequestType:Cmsi:Cmsi, typically followed by a refresh token redemption (IncomingTokenType:refreshToken) from a different IP address—a strong indicator of token theft. Authentication events typically originate from Microsoft Office (d3590ed6-52b3-4102-aeff-aad2292ab01c) and target Microsoft Graph (00000003-0000-0000-c000-000000000000).
After gaining initial access, adversaries attempted a variety of actions including:
- Gaining persistence by changing the victim’s password
- Registering a new device under adversary control
- Engaging in business email compromise (BEC) activity like deleting the original phishing email and creating inbox rules to hide emails that might alert the victim to suspicious activity
To protect against potential device code abuse, we recommend implementing Conditional Access policies to:
Red Canary has observed successful Kali365 follow-on activity that is common to business email compromises (BEC), including creating suspiciously-named inbox rules to hide emails that might alert the victim to malicious activity. That gives us a detection opportunity.
