In mid-May 2026, Huntress uncovered a sophisticated phishing ecosystem operating under multiple names—Kali365, Octopi365, and Freedom365—that targets Microsoft 365 accounts through device code authentication abuse. This isn't your typical credential harvesting operation; it's a mature Phishing-as-a-Service (PhaaS) platform that maintains persistent access even after password resets and MFA changes. (Source: Huntress)
The attack begins when users receive emails containing links to Canva-hosted websites claiming their message is encrypted. Clicking through presents victims with a code and redirects them to legitimate Microsoft login pages where they're prompted to enter this code. In as little as 42 seconds, attackers gain persistent access through Microsoft's device authentication flow—a feature designed for devices without keyboards that these operators abuse for account takeover.
What makes this campaign particularly dangerous is its use of refresh tokens obtained through the Microsoft Authentication Broker client ID (d3590ed6-52b3-4102-aeff-aad2292ab01c). These tokens survive password changes and MFA resets because they're tied to the device authorization itself, not the user's credentials. Once captured, operators can access Outlook mailboxes, OneDrive files, SharePoint documents, and Teams conversations without triggering standard authentication alerts.
The infrastructure behind these attacks spans over 150 IP addresses, primarily hosted on Tencent Cloud's AS132203 network. The phishing kit includes 33 built-in lure templates impersonating various Microsoft services, AI-powered business email compromise features, and companion desktop applications that convert stolen tokens into active browser sessions. These tools enable operators to read emails, harvest contacts, monitor specific keywords like "invoice" or "wire transfer," and send phishing emails from compromised accounts to internal contacts who trust the sender.
Your organization faces immediate risk if device code authentication remains enabled across your Microsoft tenant. Compromised accounts become launching points for lateral movement, data theft, and financial fraud targeting your clients and partners.
Attack Chain and Technical Mechanics of the Device Code Phishing Workflow
The device code authentication flow represents a fundamental shift in how attackers approach token theft. Rather than intercepting credentials during login, the attack abuses Microsoft's legitimate device authorization grant type—originally designed for input-constrained devices like smart TVs—to generate refresh tokens without ever touching the victim's password or triggering traditional MFA prompts.
When victims enter the provided code at microsoft.com/devicelogin, they unknowingly authorize the attacker's application to act on their behalf. The technical mechanics involve the attacker initiating a device code request to Microsoft's OAuth endpoint using client ID d3590ed6-52b3-4102-aeff-aad2292ab01c (Microsoft Office's legitimate app ID), receiving a user code and device code pair, then polling the token endpoint until the victim completes authorization. This grants the attacker a refresh token valid for 90 days by default, which can be silently renewed indefinitely if used within that window.
The attack infrastructure operates through a multi-tier proxy system. Initial lures route through Cloudflare Workers deployed across custom domains, with Cloudflare Turnstile filtering automated analysis attempts. The panels themselves run primarily on Tencent Cloud AS132203, specifically within the 43.173.64.0/20 CIDR range, though operators access victim sessions through residential proxies to match the target's geographic location. This makes sign-in logs appear legitimate—same country, same time zone, consumer ISP addresses.
Token extraction happens through two parallel mechanisms. The primary method uses the device code flow described above, while a secondary Adversary-in-the-Middle (AiTM) reverse proxy captures session cookies during legitimate logins. Both methods feed tokens into a centralized vault accessible at /dash/tokens, where operators can filter by admin privileges, MFA status, and workflow stage (RECON/EXPLOIT/CASHOUT/DONE). The panel's /dash/outlook/{id} endpoint provides direct webmail access without requiring additional authentication.
Detection faces several technical challenges. The device code flow generates minimal logging—Azure AD records only a successful "UserLoggedIn" event with the authorizing user's IP, not the attacker's infrastructure. The authorization appears as a standard OAuth consent, indistinguishable from legitimate app permissions. Token refresh operations occur silently without user interaction, and the 90-day validity window means attackers maintain access long after initial compromise. Your security team sees normal-looking sign-ins from residential IPs in expected locations, making geographic anomaly detection ineffective.
The panel's API structure reveals sophisticated token management capabilities. Endpoints like /api/tokens/refresh-all and /api/tokens/validate-batch allow operators to maintain thousands of active sessions simultaneously. The /api/graph/mailbox-rules endpoint creates inbox rules to hide security alerts, while /api/exchange/connectors establishes rogue mail flow connectors for persistent email access even after password resets. Each captured token undergoes automated scanning for admin rights, accessible domains, and SharePoint sites through Graph API enumeration.
Forensic artifacts appear in Microsoft 365 Unified Audit Logs as "Consent to application" events with the suspicious client ID, though distinguishing malicious from legitimate Office app consent requires correlation with other indicators. Python-requests user agents from Tencent Cloud IPs provide the clearest signal, appearing in authentication logs when operators refresh tokens. The pattern "device code authentication → immediate mailbox access → bulk email deletion" within minutes indicates active exploitation rather than legitimate device setup.
Business and Compliance Impact of Compromised Microsoft Credentials at Scale
When your organization's Microsoft 365 accounts fall to device code phishing, the business consequences extend far beyond a simple password reset.
Key Insight: The source investigation revealed that compromised accounts immediately become staging grounds for data exfiltration, with attackers accessing not just email but SharePoint document libraries, Teams conversations, and OneDrive files through the same stolen tokens.
The financial impact compounds quickly. According to the FBI's April 2026 observations cited in the source, these attacks enable operators to harvest wire transfer threads, invoice communications, and payroll discussions through built-in high-value email triage features. The platform's AI-powered BEC module specifically targets these conversations, generating contextually accurate fraud responses that your finance team would struggle to distinguish from legitimate requests.
Consider the regulatory exposure when attackers maintain persistent access to your communications infrastructure. If your organization handles protected health information, the unauthorized mailbox access documented in these attacks triggers HIPAA breach notification requirements. For companies processing European data, GDPR Article 33 mandates notification within 72 hours of awareness—but the source reveals these compromises often persist undetected because they abuse legitimate OAuth flows rather than traditional credential theft methods your security tools monitor.
The investigation uncovered that operators use the OctoLink Live desktop application to convert stolen tokens into authentic-looking browser sessions. This means audit logs show normal user activity from residential IP addresses, making forensic analysis and breach scope determination exponentially more complex. Your incident response team faces the challenge of distinguishing legitimate employee access from attacker activity when both use identical authentication mechanisms.
Supply chain risk multiplies when compromised accounts become launch points for lateral attacks. The source documented OctoLink Sender's capability to send up to 2,500 emails per day from each compromised account, using a draft-create and send pattern that bypasses standard outbound filtering. When these messages reach your partners and customers, they carry your organization's legitimate domain reputation and pass SPF/DKIM checks, making them nearly indistinguishable from authentic communications.
The platform's keyword monitoring feature means attackers receive alerts when specific terms appear in compromised mailboxes. If your employees discuss merger activity, contract negotiations, or sensitive project codenames, operators get immediate notification and can intercept these conversations before decisions finalize.
Beyond immediate theft, the source reveals these attacks establish infrastructure for long-term exploitation. The Exchange Admin module documented in the E2 variant creates rogue mail connectors and modifies mail flow rules at the tenant level, potentially redirecting all incoming email through attacker-controlled systems. Recovery from such modifications requires comprehensive tenant auditing and may necessitate engaging Microsoft support to fully remediate administrative changes.
The cost calculation extends beyond direct losses. Organizations must factor in forensic investigation across all integrated Microsoft services, legal counsel for breach notifications, credit monitoring for affected individuals, and potential litigation from customers whose data was exposed through your compromised infrastructure. The persistent nature of token-based access means standard password resets provide no protection—your security team must revoke all active sessions, regenerate application passwords, and re-establish trust relationships across your entire Microsoft 365 environment.
Detection and Immediate Response for Kali365 Device Code Phishing
Your first priority is blocking the device code authentication flow entirely unless absolutely necessary. Open Azure AD Conditional Access and create a policy that blocks device code flows from all locations except your corporate network IP ranges. The source's hunting rules specifically target authentication events from Tencent Cloud AS132203 and the 43.173.64.0/20 range, but attackers rotate infrastructure constantly. Block first, then create exceptions only for legitimate IoT devices that genuinely need this flow.
Next, audit your tenant for existing compromises using this KQL query against SigninLogs:
SigninLogs
| where ResultType == "0"
| where AuthenticationProtocol == "deviceCode"
| where TimeGenerated > ago(30d)
| project TimeGenerated, UserPrincipalName, IPAddress, AppDisplayName, ClientAppUsed
| where ClientAppUsed contains "Mobile Apps and Desktop clients"
Any successful device code authentication from unfamiliar IPs or containing user agents with "python-requests" indicates active compromise. The source investigation found operators using the legitimate Microsoft Office client ID d3590ed6-52b3-4102-aeff-aad2292ab01c to blend in with normal traffic, so client ID alone won't identify malicious activity.
For accounts showing suspicious device code activity, immediately revoke all refresh tokens through Graph API or Azure portal. Don't just reset passwords—the source confirms these attacks maintain persistence through refresh tokens that survive password changes and MFA updates. Use this PowerShell command to revoke all sessions for a compromised user:
Revoke-AzureADUserAllRefreshToken -ObjectId "
Within 24 hours, deploy email transport rules blocking the Canva domains used in initial lures. The source describes victims receiving emails with Canva-hosted pages claiming messages are encrypted. Create mail flow rules that quarantine messages containing links to canva.com when combined with phrases like "encrypted message" or "click here to view."
In environments Capstone manages, Adlumin ITDR catches the authentication anomalies that signal token theft—multiple sign-ins from different geographic locations within impossible travel windows, Electron user agents accessing admin portals, and refresh token grants without interactive authentication. These patterns appear when operators use the OctoLink Live desktop application to convert stolen tokens into browser sessions.
Monitor Microsoft Graph API calls for the draft-create-send-delete pattern the source identified in OctoLink Sender. Look for sequences where POST /me/messages creates a draft, POST /me/messages/{id}/send sends it, then GET /me/messages/{id}?$select=id,isDraft checks if it's gone. This pattern repeats with 4-second delays and "human pauses" every 12-19 sends as the tool mimics legitimate sending behavior.
Long-term, implement passwordless authentication using Windows Hello for Business or FIDO2 security keys. These methods eliminate the password component entirely, making device code attacks ineffective since there's no credential to authorize. Configure Conditional Access to require compliant, Intune-enrolled devices for all administrative access, blocking the residential proxies and cloud VPS nodes these operators favor.
Set up continuous monitoring for accounts accessing multiple service endpoints (Outlook, SharePoint, OneDrive, Admin Center) within short windows from the same IP—behavior consistent with operators using the panel's token vault to browse victim resources. The source found operators accessing victim mailboxes directly through /dash/outlook/{id} endpoints in the phishing panel, then pivoting to harvest contacts and scan for high-value email threads about wire transfers and invoices.
Blocking Kali365 Phishing at the Email and Network Perimeter
You need to configure your email gateway to block Canva-hosted URLs and other legitimate services that attackers abuse for initial redirection. Start by creating transport rules in Exchange Online Protection that quarantine messages containing links to canvas.com/design/, canva.com/view/, or similar collaboration platforms when combined with authentication-related keywords like "encrypted document," "secure message," or "view protected file." The source investigation found attackers specifically hosting their initial lures on Canva to bypass reputation filters, since these domains carry legitimate trust scores.
Configure Microsoft Defender for Office 365 to flag unusual authentication patterns in email content. Create custom detection rules that trigger when emails contain both a short alphanumeric code (matching the pattern of device codes) and phrases directing users to microsoft.com/devicelogin or login.microsoftonline.com. The investigation revealed attackers provide codes directly in the phishing message before redirecting victims to legitimate Microsoft pages, making traditional URL filtering ineffective.
Your DNS infrastructure should sinkhole the Cloudflare Worker domains that host the actual phishing panels. The source identified patterns where operators route lure traffic through custom domains fronted by Cloudflare Workers. While individual domains rotate frequently, implement recursive DNS filtering that blocks newly registered domains (less than 30 days old) when accessed immediately after visiting microsoft.com/devicelogin. This catches the redirect chain even as infrastructure changes.
Deploy ATP safe attachments policies that sandbox any HTML files or documents containing embedded JavaScript, particularly those with React/Vite application signatures. The investigation found all three panel variants use React single-page applications with distinctive webpack bundles. Configure your sandbox to detect when attachments attempt to load external resources from Cloudflare-protected origins or make API calls to paths matching /dash/*, /api/recover-account, or /api/extend-subscription.
Train users to recognize that Microsoft never sends device codes via email for document access. Create specific awareness materials showing the actual Canva lure pages discovered in the investigation, emphasizing that legitimate Microsoft services generate codes only when users initiate the process themselves. Include screenshots of the fake "Document Expired" page that appears after successful compromise, teaching users this is a clear indicator they've been phished.
Your security team needs to audit these specific Conditional Access gaps that enable device code abuse:
- Review policies that exclude "Microsoft Office" app ID
d3590ed6-52b3-4102-aeff-aad2292ab01cfrom MFA requirements - attackers use this legitimate ID to bypass controls - Check whether device code flow remains enabled for external networks despite having no legitimate use case for remote input-constrained devices
- Verify that token lifetime policies don't exceed 24 hours for refresh tokens issued through non-interactive flows
- Audit whether "trusted locations" include entire countries or regions rather than specific corporate IP ranges
- Confirm that impossible travel detection applies to device code authentications, not just interactive logins
Block residential proxy networks at your perimeter, particularly those originating from Tencent Cloud AS132203 and the 43.173.64.0/20 range identified in the campaign. While operators rotate infrastructure, they consistently route through residential proxies to make sign-ins appear local to victims. Configure your SIEM to alert when any authentication originates from known residential proxy ASNs, especially when preceded by device code flow events.
Key Actions to Protect Microsoft Accounts from Device Code Phishing
Your most critical defense against device code phishing requires auditing and enforcing Conditional Access policies that restrict device code token grants to trusted devices and locations. Review your Azure AD sign-in logs for the past 90 days, searching for successful device code authentications from unexpected autonomous system numbers or IP ranges outside your corporate network. The source investigation identified that attackers specifically target organizations with unrestricted device code flows, using these tokens to maintain access through password resets and MFA changes.
Configure your Conditional Access policies to block device code authentication flows except from specific trusted IP ranges where legitimate IoT devices operate. The FBI's April 2026 observations noted in the source indicate that organizations with properly configured restrictions avoided compromise entirely. Create an exception list documenting each device that genuinely requires this flow—smart TVs in conference rooms, printers, or other input-constrained devices—and restrict access to only those specific network segments.
Immediately revoke any suspicious refresh tokens issued through device code grants in the past 30 to 90 days. Access the Azure AD portal, navigate to Enterprise Applications, and audit sign-in activity for authentication protocol entries showing "deviceCode" combined with residential proxy indicators or Electron user agents. The source reveals that compromised tokens remain valid even after password changes, making revocation essential. For any accounts showing device code authentication from Tencent Cloud AS132203 or the 43.173.64.0/20 range mentioned in the hunting rules, reset credentials immediately and force re-authentication across all sessions. This combination of policy enforcement and token revocation stops active compromises while preventing future attacks through the same vector.
