Find notable cyber news and cases, enriched with sources, timelines, and signals.

Kali365 Microsoft 365 device-code phishing campaign

Campaign
First reported
Last updated
Happening score
H score 46
2 unique sources, 2 articles

Summary

Hide ▲

A Kali365 phishing campaign is targeting Microsoft 365 environments worldwide with device-code login lures, putting accounts at risk of token theft and MFA bypass. The operation uses phishing emails that push victims to Microsoft's device code portal, where they unknowingly authorize attacker access. The campaign matters because successful logins can expose mailboxes, cloud applications, and follow-on infrastructure used to hide activity and steal data. It was observed in April 2026 and reflects a broader criminal phishing service ecosystem.

Related Happenings

O-UNC-066 / Pink Microsoft Entra passkey vishing campaign

Campaign
H score37 First: 08.07.2026 19:47 Last: 08.07.2026 19:47 Sources 1

About this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...

Meta For Business Facebook Messenger fake-verification phishing campaign

Campaign
H score29 First: 07.07.2026 10:00 Last: 07.07.2026 10:00 Sources 1

About this happening: A **phishing campaign** abused **Facebook Messenger chatbots** and fake verification lures to steal **Meta For Business** credentials and sensitive identity data, creating account...

Microsoft Azure CLI password-spray campaign using ROPC

Campaign
H score24 First: 01.07.2026 08:46 Last: 01.07.2026 08:46 Sources 1

About this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...

Signal Backup Recovery Key phishing mitigation

Advisory/Mitigation
H score25 First: 27.06.2026 01:06 Last: 27.06.2026 01:06 Sources 1

About this happening: The **FBI** and **CISA** updated mitigation guidance for **Signal users** after a phishing operation began targeting **Backup Recovery Keys**, which can expose **historical messag...

FortiBleed Fortinet credential-theft campaign

Campaign
H score89 First: 19.06.2026 13:48 Last: 19.06.2026 13:48 Sources 1

About this happening: The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...

Latest development: 22.06.2026 11:30

The UK’s National Cyber Security Centre issued guidance for Fortinet customers impacted by FortiBleed after the campaign exposed around 75,000 credentials from FortiGate firewall and SSL VPN customers. The NCSC urged affected organizations to use Hudson Rock’s or SOCRadar’s FortiBleed checker tools and then review indicators of compromise such as unauthorized account creation and unexpected activity in log files.

Timeline

  1. 25.05.2026 15:45 3 articles · 1mo ago

    Kali365 Microsoft 365 device-code phishing disclosure

    Initial Disclosure

    FBI and Arctic Wolf reporting identify Kali365 as a phishing-as-a-service platform that targets Microsoft 365 and Microsoft Entra accounts through OAuth device-code phishing and an adversary-in-the-middle mode called "Cookie Link." The service is distributed through Telegram channels, offers AI-generated phishing lures, automated campaign templates, real-time victim-tracking dashboards, and token capture, and has been observed in campaigns against organizations worldwide that led to mailbox access, malicious inbox rules, and occasional new device registrations.

    Show sources