This article was originally posted on IT Nerd here.
The FBI has put out a warning about Kali365 and the spike in device code phishing attacks earlier this week:
Through the Kali365 platform subscription, cyber threat actors can capture “OAuth” tokens and gain persistent access to targeted individuals/entities’ Microsoft 365 environments. Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities.
But the deeper story is why this class of attack is so hard to catch. There’s no malicious link, no spoofed login page — just a legitimate OAuth flow handing attackers a valid token, bypassing everything traditional security is trained to flag.
Gidi Cohen, CEO & Co-founder, Bonfy.AI had this comment:
“The FBI’s warning is well-placed, and the recommended mitigations — conditional access policies, blocking device code flows — are the right first response. But they address the front door.
The harder question is what happens once an attacker is already inside a legitimate session. When a token is stolen, the attacker isn’t a stranger to the system anymore. They’re operating with valid credentials through authorized pathways. Traditional controls see a clean session. They don’t see intent.
That gap gets wider as AI enters the picture. Copilots and agents connected to M365 mean a compromised session isn’t just access to stored data — it’s a potential entry point into ongoing AI workflows, retrieval pipelines, and generated outputs that can surface sensitive information in ways that are much harder to detect.
The industry conversation tends to stop at authentication. It needs to extend to the data layer — what’s actually moving through these systems, what it contains, who it’s about, and whether that movement aligns with policy intent. Because by the time data is in motion, the authentication question has already been answered. Correctly or not.”
As mentioned, this technique is particularly dangerous because it exploits legitimate authentication workflows, making detection more difficult. Thus the mitigations that are recommended are vital to keeping your organization safe.
This article was originally posted on IT Nerd here.