Kali365 Infrastructure: Abusing OAuth Device Code Phishing

Stay ahead of emerging identity-based phishing threats with Obrela’s latest Threat Advisory on the rapidly evolving Kali365 Phishing-as-a-Service (PhaaS) operation.

This advisory provides in-depth analysis into how attackers are abusing OAuth Device Code authentication flows to bypass MFA protections, maintain persistent access to Microsoft 365 environments, and scale phishing operations through sophisticated cloud-based infrastructure.

Inside the advisory, you’ll discover:

• How Kali365 leverages legitimate Microsoft authentication workflows for stealthier compromise
• Insights into the infrastructure, operational capabilities, and phishing mechanisms behind the campaign
• Real-world attack observations uncovered by Obrela MDR analysts
• Indicators of compromise (IOCs) linked to the activity
• Actionable defensive recommendations to strengthen identity security and detection capabilities

As phishing operations continue shifting toward identity-focused attacks and token abuse, understanding these techniques is critical for organizations looking to reduce exposure and improve resilience against modern cloud-targeted threats.

Complete the form to access the full Threat Advisory and gain exclusive insight from Obrela’s threat research team.