Kali365 Microsoft 365 device-code phishing campaign
Campaign
Summary
Hide ▲
Show ▼
A Kali365 phishing campaign is targeting Microsoft 365 environments worldwide with device-code login lures, putting accounts at risk of token theft and MFA bypass. The operation uses phishing emails that push victims to Microsoft's device code portal, where they unknowingly authorize attacker access. The campaign matters because successful logins can expose mailboxes, cloud applications, and follow-on infrastructure used to hide activity and steal data. It was observed in April 2026 and reflects a broader criminal phishing service ecosystem.
Related Happenings
PureLogs infostealer purchase-order phishing delivery chain
Malware Activity
First: 27.05.2026 11:00
Last: 27.05.2026 11:00
Sources 1
About this happening:
The **PureLogs** infostealer is being delivered through **purchase-order-themed phishing emails**, creating a **Windows** infection chain that steals **browser credentials**, **Di...
PureLogs infostealer purchase-order phishing delivery chain
Malware ActivityAbout this happening: The **PureLogs** infostealer is being delivered through **purchase-order-themed phishing emails**, creating a **Windows** infection chain that steals **browser credentials**, **Di...
Infostealer malware operation targeting online store users
Malware Activity
First: 21.05.2026 00:36
Last: 21.05.2026 00:36
Sources 1
About this happening:
A **malware operation** using **infostealer** tools infected users’ devices between **2024 and 2025**, stealing browser sessions and account credentials that enabled account theft...
Infostealer malware operation targeting online store users
Malware ActivityAbout this happening: A **malware operation** using **infostealer** tools infected users’ devices between **2024 and 2025**, stealing browser sessions and account credentials that enabled account theft...
CypherLoc phishing-led browser scareware campaign
Campaign
First: 20.05.2026 13:00
Last: 20.05.2026 13:00
Sources 1
About this happening:
The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
CypherLoc phishing-led browser scareware campaign
CampaignAbout this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
Storm-2949 Microsoft 365 and Azure data-theft campaign
Campaign
First: 19.05.2026 22:35
Last: 19.05.2026 22:35
Sources 1
About this happening:
The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Storm-2949 Microsoft 365 and Azure data-theft campaign
CampaignAbout this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
EvilTokens Microsoft 365 consent phishing campaign
Campaign
First: 19.05.2026 14:30
Last: 19.05.2026 14:30
Sources 1
About this happening:
The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
EvilTokens Microsoft 365 consent phishing campaign
CampaignAbout this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
Timeline
-
25.05.2026 15:45 3 articles · 2d ago
Kali365 Microsoft 365 device-code phishing disclosure
Initial DisclosureFBI and Arctic Wolf reporting identify Kali365 as a phishing-as-a-service platform that targets Microsoft 365 and Microsoft Entra accounts through OAuth device-code phishing and an adversary-in-the-middle mode called "Cookie Link." The service is distributed through Telegram channels, offers AI-generated phishing lures, automated campaign templates, real-time victim-tracking dashboards, and token capture, and has been observed in campaigns against organizations worldwide that led to mailbox access, malicious inbox rules, and occasional new device registrations.
Show sources
- FBI warns of Kali365 phishing service targeting Microsoft 365 accounts — www.bleepingcomputer.com — 25.05.2026 15:45
- FBI warns of Kali365 phishing service targeting Microsoft 365 accounts — www.bleepingcomputer.com — 25.05.2026 15:45
- FBI Warns 'Kali365' Phishing Kit Hijacks Microsoft 365 OAuth Tokens — www.infosecurity-magazine.com — 25.05.2026 12:30