You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
oauth device code phishing
About this tag
OAuth device code phishing is a growing threat to Microsoft 365 users, as highlighted by FBI warnings in May 2026 about the Kali365 phishing-as-a-service platform. This attack abuses the legitimate OAuth device code authentication flow to steal access tokens and bypass multifactor authentication without capturing passwords. Instead of tricking victims into entering credentials on a fake page, attackers trick them into completing a real Microsoft sign-in on the attacker's device. This makes traditional anti-phishing advice like checking the URL insufficient. The Kali365 platform, distributed via Telegram, industrializes this trust-based attack, turning a convenient Microsoft sign-in feature into a serious account takeover vector.
The FBI warned on May 21, 2026, that Kali365, a phishing-as-a-service platform distributed primarily through Telegram, is being used to hijack Microsoft 365 accounts by abusing OAuth device code authentication and stealing access tokens without capturing passwords. The warning matters because it...
The FBI’s Internet Crime Complaint Center warned in May 2026 that Kali365, a phishing-as-a-service platform first seen in April, is targeting Microsoft 365 users by abusing OAuth device-code authentication to capture access tokens and bypass multifactor authentication without stealing passwords...