2026-05-136 minhigh

Token Bingo: Don’t Let Your Code be the Winner

A widespread phishing campaign is leveraging the Kali365 Live Phishing-as-a-Service (PhaaS) platform to execute device code phishing and AiTM attacks. By tricking users into authorizing legitimate Microsoft device login requests, threat actors steal OAuth access and refresh tokens, bypassing traditional credential-based defenses and MFA to gain persistent access to Microsoft 365 environments.

Sens:■ ImmediateConf:highAnalyzed:2026-04-24reports

Authors: Arctic Wolf Labs

ActorsKali365 LiveEvilTokensCLURE kitRiding the Rails

Kali365 Live PhaaS OAuth Abuse AitM Device Code Phishing

Source:Arctic Wolf

IOCs · 3

domain
duemineral[.]ukHostname associated with the Kali365 panel front door and desktop application connection.
domain
v2[.]kali365[.]xyzKali365 Live panel frontend.
sha256
883d5d4a73b0ac8cf4f78fe46d8f4e76e21508872836f2b439af2de4a205128eSSL Certificate hash observed across the malicious IP infrastructure.

Key Takeaways

A large-scale phishing campaign is utilizing the Kali365 Live Phishing-as-a-Service (PhaaS) platform to abuse the OAuth 2.0 Device Authorization Grant flow.
Threat actors trick victims into authorizing device codes, granting them OAuth access and refresh tokens without ever handling the victim's passwords.
Kali365 Live supports both device code abuse and Adversary-in-the-Middle (AiTM) session capture via Cloudflare Workers.
Post-compromise, attackers establish persistence by creating malicious inbox rules to suppress security alerts and by registering new devices in the victim's environment.
The Kali365 Live desktop client uses a distinct, high-confidence User-Agent string: 'kali365-live/1.0.0'.

Affected Systems

Microsoft 365
Microsoft Entra ID
OAuth 2.0 Device Authorization Grant flow

Attack Chain

The threat actor delivers a phishing email containing a malicious attachment or link that redirects the victim to a Cloudflare Worker-hosted landing page. This page dynamically generates a legitimate Microsoft OAuth device code and instructs the victim to enter it at microsoft.com/devicelogin. Once the victim authenticates and completes MFA, the Kali365 backend captures the resulting OAuth access and refresh tokens. The attacker then uses these tokens to access the victim's mailbox, establish persistence by registering new devices, and create malicious inbox rules to suppress security notifications.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No

The article does not provide specific detection rules or queries, but outlines behavioral indicators and Conditional Access policy recommendations.

Detection Engineering Assessment

EDR Visibility: Low — This is an identity-based attack occurring entirely within cloud environments (Microsoft 365/Entra ID) and the victim's web browser, leaving minimal footprint on the endpoint OS. Network Visibility: Medium — Network logs may capture connections to the Cloudflare Worker domains or the specific User-Agent strings, but the actual authentication traffic to Microsoft is encrypted and legitimate. Detection Difficulty: Hard — The attack abuses legitimate OAuth flows, making malicious device code authorizations difficult to distinguish from legitimate ones without strict Conditional Access policies or behavioral baseline deviations.

Required Log Sources

Azure AD Sign-in Logs
Azure AD Audit Logs
Microsoft 365 Unified Audit Log
Network Proxy/Web Gateway Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Search for anomalous sign-ins utilizing the Device Code Flow authentication method from unexpected IP addresses, locations, or non-standard devices.	Azure AD Sign-in Logs	Credential Access	Medium
Look for the creation or modification of Exchange inbox rules that move emails containing keywords like 'spam', 'phish', 'click', or 'SharePoint' to hidden folders or mark them as read.	Microsoft 365 Unified Audit Log (New-InboxRule / Set-InboxRule)	Defense Evasion	Low
Identify new device registrations in Entra ID that occur immediately following a successful device code authentication event.	Azure AD Audit Logs	Persistence	Medium
Hunt for the specific User-Agent string 'kali365-live/1.0.0' interacting with Microsoft 365 or Entra ID endpoints.	Azure AD Sign-in Logs, Network Proxy Logs	Command and Control	Low

Control Gaps

Standard MFA
Credential-based Phishing Defenses
Endpoint Detection and Response (EDR)

Key Behavioral Indicators

User-Agent: kali365-live/1.0.0
Inbox rules suppressing security keywords
Device Code Flow sign-ins from non-standard devices/locations

False Positive Assessment

Medium, as legitimate use of the device code flow by IoT devices, smart TVs, or CLI tools can trigger detections if not properly filtered by Conditional Access policies or baseline tuning.

Recommendations

Immediate Mitigation

Block Device Code Flow using Conditional Access (CA) policies where not explicitly required.
Search for and remove suspicious inbox rules designed to suppress security notifications.
Revoke active sessions and refresh tokens for any accounts suspected of being compromised.

Infrastructure Hardening

If device code flow is required, restrict it via CA policies to specific trusted IPs, device platforms (e.g., Android for meeting rooms), or specific service account user groups.
Enable sign-in risk policies via Microsoft Entra ID Protection to detect anomalous sign-ins.

User Protection

Implement phishing-resistant MFA (e.g., FIDO2 keys) where possible to mitigate the risk of AiTM and token theft.

Security Awareness

Train users to recognize device code phishing lures and understand that entering a code grants access to their account.
Educate employees on the legitimate use cases for device codes (e.g., smart TVs) versus unexpected prompts on laptops or phones.

MITRE ATT&CK Mapping

T1566.001 - Phishing: Spearphishing Attachment
T1566.002 - Phishing: Spearphishing Link
T1528 - Steal Application Access Token
T1556 - Modify Authentication Process
T1098 - Account Manipulation
T1564.008 - Hide Artifacts: Email Hidden Rules
T1114.002 - Email Collection: Remote Email Collection

Additional IOCs

Ips:
- 199[.]91[.]220[.]111 - Cloud Hosting sibling instance for the phishing infrastructure.
Domains:
- kali365[.]xyz - Kali365 Live panel domain.
- api[.]kali365[.]xyz - Kali365 Live panel API domain.
- fn4z-b84o-xn9y[.]tesouraria-ts-tranmissions-com-s-account[.]workers[.]dev - Cloudflare Worker domain hosting the phishing landing page (extracted from image).
Urls:
- hxxps://v2[.]duemineral[.]uk - Panel URL used by the Kali365 Live desktop application (extracted from image).
File Hashes:
- 09bb7e568e573497e22bfa3f36d71fe9d104899826608affedb25d988f391c85 (SHA256) - Reference HTML Phishing Page.
- 2fa6fc2199d3be55e240500d87e4484f39b9315bf336be25434f6716b8d28ec8 (SHA256) - Reference HTML Phishing Page.
Other:
- python-requests/2.31.0 - User-Agent observed for backend egress in the campaign context.