FBI PSA260521 warns on Kali365 — Telegram-distributed PhaaS exploiting OAuth device-code flow for persistent M365 token capture bypassing MFA

The FBI's Internet Crime Complaint Center issued PSA260521 on 2026-05-21 on Kali365, a Telegram-distributed Phishing-as-a-Service platform observed since April 2026 that abuses Microsoft's OAuth 2.0 device-code authorization flow (RFC 8628) to capture persistent access and refresh tokens for M365 accounts while completely bypassing multi-factor authentication (The Register, 2026-05-22 · Help Net Security, 2026-05-22 · The Record, 2026-05-22 · CyberScoop, 2026-05-22). The technique falls under MITRE ATT&CK T1111 (MFA Interception) and T1528 (Steal Application Access Token) but differs structurally from credential phishing: the victim receives a lure impersonating Adobe Acrobat Sign, DocuSign or SharePoint, opens the embedded device code, and enters it on the legitimate login.microsoftonline.com/common/oauth2/deviceauth page; the attacker's registered device then receives both an access and a refresh token bound to that device, granting persistent access to Exchange Online, Teams, OneDrive and SharePoint without any further user interaction or MFA challenge.

A secondary AiTM mode proxies the victim's browser through attacker infrastructure to capture session cookies during a real Microsoft authentication flow when device-code is blocked. Subscriptions cost $250/month or $2,000/year per tenant; AI-generated lures are available in 14 languages with automated campaign templates and real-time tracking dashboards, lowering the technical bar for less capable actors. Observed outcomes since April 2026 — per the four outlets corroborating the FBI PSA — include mailbox exfiltration, lateral phishing, business email compromise and ransomware pre-staging. Detection vantage: Entra ID sign-in logs surface authenticationProtocol = deviceCode events — alert on those from unfamiliar device names or geographies inconsistent with the user's home location, and look for sign-in activity immediately after a device-code event from a different IP. Hardening: block user-interactive device-code flow via Conditional Access's Authentication flows condition (block / require compliant device), enforce FIDO2 phishing-resistant MFA for high-value accounts, and review existing OAuth app consents — public-sector tenants often leave device-code open for legacy device enrolment, and once an attacker holds a refresh token, only Revoke-MgUserSignInSession clears it.

Why it matters to us: the device-code attack path is the single fastest M365 compromise vector that classic phishing-aware users still walk into; Swiss federal, cantonal and public-administration Entra tenants often leave the flow open for kiosk / shared-device enrolment, and the Kali365 commoditisation means small actors can now run it without M365 expertise.