Identity-Centric MDR Powered by Best-in-Class Controls.
SentinelOne + SentinelOne
Learn More
The threat landscape has shifted.
See what MSPs need to know in 2026. Download Now
Back to blog

The Rise of Kali365 and Why MSPs Should Be Concerned

Author Profile Image

Elli Shlomo

  • Updated on: May 27, 2026
A glowing shield with the Microsoft 365 logo is surrounded by app icons and a large phishing hook, highlighting cybersecurity risks for SMBs. Text reads Research Insights and Kali365. The background is dark with neon blue and red highlights.
In This Article

Since April 2026, we have been tracking an underground AiTM and Device Code flow attack using a new kind of Phishing-as-a-Service platform, one of which is known as Kali365.

Additionally, we have been tracking and are still on AiTM attack tools in recent months, and have identified multiple platforms built around reverse proxy capabilities. These tools are designed to intercept authentication sessions, capture cookies, and bypass MFA by placing attacker infrastructure between the victim and legitimate cloud services.

Within weeks, the platform began gaining traction across the cybercriminal ecosystem. By mid-May, its rapid adoption and operational impact had drawn federal attention. On May 21, 2026, the FBI issued Public Service Announcement PSA I 052126 PSA, warning organizations about Kali365 and similar phishing kits designed to abuse Microsoft OAuth device code flows and session cookies.

As we know in Guardz, attackers are no longer relying solely on credential theft. Instead, they are increasingly targeting authentication workflows and session artifacts that can allow account takeover even when traditional security controls, including multifactor authentication, are in place.

For SMBs, Kali365 represents a particularly serious threat. Many small and medium businesses now run almost their entire productivity environment on Microsoft 365, including email, Teams, OneDrive, SharePoint, and core business applications. At the same time, these organizations often operate with lean IT teams, limited security budgets, and minimal visibility into identity-based attacks.

That combination creates an ideal target profile. Default Microsoft 365 settings, basic MFA coverage, and limited monitoring may be enough to stop commodity phishing, but they are often insufficient against platforms designed to manipulate authentication flows and hijack active sessions. Kali365 appears purpose-built for this gap. It gives attackers a way to target environments where Microsoft 365 is business critical, but identity security controls have not matured at the same pace.

Unlike traditional credential harvesting kits, Kali365 does not focus on stealing passwords or one-time codes. It directs users through legitimate Microsoft login pages, then quietly captures persistent authentication artifacts such as OAuth tokens or session cookies. This enables attackers to maintain long-term access, bypass MFA protections, and operate inside the environment while blending into normal user activity.

Tip: Any request asking users to “enter a verification code on Microsoft’s device login page” should be treated as a confirmed compromise attempt.

Technical Architecture and Business Model of Kali365

Kali365 is a professionally developed, multi-tenant PhaaS platform with three distinct tiers: Admin (core operators), Agent/Reseller, and Client/Affiliate (the paying attackers).

Pricing is straightforward and attractive to low-skilled criminals: $250 for 30 days or $2,000 for a full year. Payments are processed exclusively through Trocador (trocador.app), a privacy-focused crypto exchange aggregator that requires no KYC/AML checks. This anonymity makes attribution extremely difficult for law enforcement.

After payment, affiliates receive full access to a modern, React-based web dashboard (primarily v2[.]kali365[.]xyz and api[.]kali365[.]xyz). The panel includes AI-powered lure generation, multi-language support, real-time victim tracking, affiliate management, and a rich post-exploitation toolkit.

Infrastructure stack:

  • Cloudflare Workers – Automatically deployed for lure hosting and Adversary-in-the-Middle (AitM) proxying.
  • Origin Servers – Backend VPS instances running the core application logic and database.
  • Token / Cookie Vaults – To secure encrypted storage with sharing capabilities between operators.
  • Telegram Integration – Central nervous system for alerts, keyword monitoring, and account recovery.
  • Electron Desktop App – Optional native Windows/macOS client with User-Agent kali365-live/1.0.0.

This architecture combines edge performance (Workers) with centralized control, making the platform both fast and resilient.

A diagram titled Kali365 Phishing-as-a-Service (PhaaS) - Attack Flow & Infrastructure (May 2026) shows attack stages: Attacker Infra, Preparation Phase, Attack Modes, and Post Compromise, highlighting cybersecurity threats SMBs may face at each stage.

Tip: Anonymous payment models like Trocador shift the detection burden from network IOCs to behavioral indicators inside your Microsoft 365 tenant.

Token Link is the most commonly used and easiest mode in Kali365.

Detailed technical flow:

  • The attacker accesses the Kali365 dashboard and uses its built-in AI capabilities to generate phishing lures at scale. Available templates mimic trusted business workflows, including Adobe Acrobat Sign, DocuSign, SharePoint shared-file alerts, OneDrive links, and Teams messages, and support multiple languages, layouts, and localized targeting.
  • The lure contains a link that redirects the victim to Microsoft’s legitimate device authorization endpoint (https://login.microsoftonline.com/common/oauth2/devicecode or microsoft.com/devicelogin).
  • The victim is shown a unique code and instructed to “enter it on Microsoft’s device login page to access the shared document.”
  • The victim authenticates normally with username, password, and MFA on real Microsoft pages.
  • Kali365’s Cloudflare Worker backend captures the full OAuth access_token (short-lived) and refresh_token (valid for up to 90 days).

With these tokens, the attacker can use the Microsoft Graph API to read emails, send messages, access files, and more. Many immediately proceed to rogue device registration to obtain a Primary Refresh Token (PRT), which provides seamless Single Sign-On (SSO) across all M365 services.

SMB impact: An attacker can monitor a CFO’s inbox for wire transfer requests or harvest customer data without raising obvious red flags.

Cookie Link is the stealthier, more advanced mode favored by experienced operators.

Step-by-step:

The attacker creates a “Cookie Link” in the dashboard.

  • Kali365 provisions a dedicated Cloudflare Worker that functions as a transparent reverse proxy.
  • When the victim clicks the phishing link, their entire browser session is routed through the attacker’s Worker infrastructure.
  • The victim sees and interacts only with real Microsoft domains and certificates (login.microsoftonline.com).
  • The victim completes their normal login process, including any MFA method.
  • The proxy silently captures ESTSAUTH, ESTSAUTHPERSISTENT, and other session cookies.

These cookies allow the attacker to replay the full authenticated session in their own environment, often giving deeper access than OAuth tokens alone.

Because the entire interaction happens on legitimate Microsoft infrastructure, most email security gateways, browser warnings, and traditional phishing detectors miss it.

Infographic illustrating the Kali365 Attack Flow: Cookie Link Attack Mode. Key cybersecurity steps show attacker-generated link, Cloudflare worker, Microsoft login spoof, session capture and replay—highlighting risks SMBs face from advanced phishing threats.

Tip: Cookie-based AITM attacks leave minimal network traces. Prioritize monitoring for new device registrations and anomalous sign-ins occurring shortly after normal user logins.

The Full Attacker Arsenal

After capturing a token or session cookie, attackers gain access to a mature post-compromise toolkit designed to expand control, maintain persistence, and monetize the account. This shifts the attack from initial access into active account takeover, where the compromised Microsoft 365 identity becomes the launch point for deeper intrusion.

  • Live Inbox Viewer via Graph API for real-time email access.
  • Malicious Inbox Rules that hide security alerts, delete notifications, or forward sensitive emails.
  • B2B Sender Queue for launching internal phishing campaigns from trusted accounts.
  • Deep Contact Harvest to rapidly expand targeting.
  • Keyword Alerts delivered to Telegram.
  • Rogue Device Registration + Primary Refresh Token (PRT) for long-term persistence.
  • Graph API Access to Teams, OneDrive, SharePoint, and connected services.
  • Privilege Role Token Abuse.
  • Data Exfiltration
  • Token/Cookie Sharing for resale.

These features allow attackers to maintain access for weeks or months while extracting maximum value.

Tip: Hidden inbox rules combined with rogue device registration within the same hour is a very strong signature of Kali365 compromise.

Still have questions before choosing a plan?
Talk to a real human. No forms. No waiting. No Slack account needed.
Chat with us

No Slack account needed.

Chat with us

Why SMBs Are Prime Targets?

Kali365 attacks are difficult to detect because they blend into legitimate Microsoft 365 activity. By abusing legitimate Microsoft domains and trusted authentication flows, these campaigns often bypass traditional security controls, including standard email gateways, basic endpoint protection, and on signatures.

As a result, a single compromised account can remain active for weeks without raising clear alerts. During that window, attackers can conduct BEC, harvest sensitive data, establish persistence, or prepare the environment for ransomware deployment.

SMBs typically have:

  • Microsoft 365 Security default
  • Default or lightly configured Conditional Access
  • Password + basic MFA only
  • Limited Entra ID log review
  • No dedicated threat hunting team

Kali365 attacks blend seamlessly with legitimate activity because they use real Microsoft domains and authentication flows. Traditional tools (email gateways, endpoint protection) often fail to detect them.

Tip: Shift your security strategy from “prevent initial access” to “assume initial access and detect post-compromise behavior.”

Comprehensive Defense Strategy for MSPs

Block Device Code Authentication (Do This First)

Create a Conditional Access policy to block Device Code flow for all users (allow very limited exceptions only for printers or specific service accounts). This single change blocks the majority of Token Link attacks used by Kali365.

Enforce Phishing-Resistant MFA

Move users to phishing-resistant authentication methods such as FIDO2 security keys or Microsoft Authenticator with number matching. Prioritize high-risk users, including admins, finance teams, executives, and anyone with access to sensitive systems or payment workflows.

At the same time, disable weaker MFA methods such as SMS, voice calls, and simple push approvals. These methods remain vulnerable to social engineering, MFA fatigue, and session phishing attacks.

Require Compliant Devices + Token Protection

  • Enforce sign-ins only from Intune-compliant or hybrid-joined devices.
  • Turn on Token Protection (device-bound tokens) in Conditional Access.

This makes rogue device registration and token replay much harder.

Activate Guardz ITDR

To reduce exposure to modern identity-based phishing campaigns, organizations need visibility beyond the initial email. Attacks such as Kali365 abuse trusted Microsoft authentication flows, session artifacts, OAuth permissions, and post-compromise mailbox activity. In most cases, conditional access and other security policies are not enough.

Detecting these behaviors requires dedicated identity threat detection and response, not just traditional email or endpoint controls.

Activate Guardz ITDR to detect and respond to:

  • AiTM Attack
  • Malicious/hidden inbox rules
  • Anomalous Graph API activity
  • Suspicious OAuth consents
  • And other emerging attacks

What does this look like in Guardz ITDR?

For example, Guardz ITDR detects AiTM, OAuth device code flow abuse, and other identity-based attack patterns using dedicated detection logic built to identify both known techniques and emerging PhaaS variants.

As the attack unfolds, the Guardz ITDR incidents appear and break down the details.

A Kali365 security event report highlights potential OAuth token theft—client IP 216.203.20.95 is flagged. Designed for SMBs, the report details client type, user agent, and event outcome as Success to support your cybersecurity needs.

Real-World Implications and Future Outlook

Kali365 highlights how quickly PhaaS platforms are evolving. By combining AI-generated lures, Cloudflare Workers infrastructure, and advanced post-compromise capabilities, these tools are lowering the barrier for sophisticated identity attacks. For SMBs, the impact is significant. Organizations that fail to adapt will face growing exposure to BEC, ransomware, and data theft.

This trend is unlikely to slow down. Future PhaaS platforms will almost certainly adopt similar techniques, making identity-centric attacks easier to launch and harder to detect. Defenders must move faster than the attackers by strengthening Microsoft 365 controls, improving visibility, and treating session theft as a core business risk.

Referneces

IOC Package: Kali365 v1 – We are working on v2 with more domains, user agents, and IPs.

For additional research, threat analysis, and practical guidance on protecting SMBs from modern identity-based attacks, visit the Guardz blog.

Categories:
Beyond News
  • Share On:
Author Profile Image

Elli Shlomo

Head of Security Research at Guardz

Linkedin

Subscribe to
Our Newsletter.

Abstract image of two overlapping shield shapes, one dark blue and one green, with a soft glowing effect on a light background—perfect for enhancing your single post template with a modern, secure aesthetic.
Abstract image with a large dark blue, semi-circular shape overlapping a bright green, glowing circular shape on a light gray background. Perfect for enhancing your single post template, the green circle appears partially blurred and luminous.

Keep your clients secure.

Start Free Trial
Book a Demo
  • 14-Day Free Trial
  • No Credit Card Required
A stylized, dark blue shield icon with a green gradient glow on the right side, set against a light gray background—ideal for enhancing your single post template design.

Continue Reading

MDR migration guide for MSPs

MDR Migration Guide for MSPs: How to Reduce Security Gaps & Operational Risk

Cyber Security
MSP
best EDR for MSPs

7 Best EDR for MSPs to Protect SMB Clients in 2026

MSP
Cyber Security
A glowing central icon with lines connecting to floating panels showcasing charts, code, chat bubbles, checklists, and flowcharts highlights the Core Features. A label at the top left reads “Research Insights.” The image is in a purple-blue color scheme.

Claude for SMB Core Features and Walkthroughs

Beyond News
A person in a futuristic chair sits at a high-tech control panel, looking out at a starry space scene with planets and mountains. The dashboard glows with colorful buttons and screens, like the perfect single post template for exploring new worlds.

Guardz, Your Cybersecurity
Co-Pilot for MSPs

Demonstrate the value you bring to the table as an MSP and gain visibility into your clients’ external postures.

Get Started
Holistic Protection.
Hassle-Free.
Cost-Effective.
Get Started
Book a Demo
Slack
Slack
Chat with us No Slack account needed.