The FBI put out a PSA this month about a phishing kit called Kali365. And, if you've ever connected to Azure SQL with Entra authentication, you have already stared at the exact screen this whole attack depends on.
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code A1B2C3D4E to authenticate.
Look familiar? That is the Microsoft OAuth device code flow. It is legitimate, it is everywhere, and Kali365 weaponizes it without ever touching your password.
What Kali365 Actually Does
It is a subscription service. First spotted in April 2026, sold over Telegram for roughly $250 a month or $2,000 a year, marketed at people who could not write a phishing kit themselves. For that money they get AI-generated lures, automated campaign templates, live targeting dashboards, and the piece that matters -- the OAuth token capture.
Instead of stealing a password, the attacker tricks the victim into completing a sign-in the attacker started. Microsoft then issues access tokens to the attacker's session, already satisfying MFA requirements. The result is access to Outlook, Teams, OneDrive, and other Microsoft 365 resources without ever knowing the victim's password.
Why This Should Make a DBA Twitch
Because you do this on purpose, all the time. Connect to an Entra-backed Azure SQL database with device code auth and SQL Server tells you to go enter a code at a Microsoft page:
sqlcmd -S myserver.database.windows.net -d mydb -G ^ --authentication-method=ActiveDirectoryDeviceCode
You get a code, you open microsoft.com/devicelogin to type it in, and you are connected. SSMS does the same thing under 'Azure Active Directory - Device Code Flow'. The flag name varies a bit by sqlcmd version, but the muscle memory is identical, and that muscle memory is exactly what the attack is counting on.
| Step | You, connecting to Azure SQL | You, getting phished |
|---|---|---|
| 1 | You run sqlcmd / SSMS | Attacker starts a sign-in for your tenant |
| 2 | Microsoft returns a device code | Attacker emails you that code |
| 3 | You open microsoft.com/devicelogin | You open microsoft.com/devicelogin |
| 4 | You enter the code, you get in | You enter the code, they get in |
Same page. Same code box. Same real Microsoft domain. But two things change: who started the sign-in and who gets in.
There Is Nothing to Misspell
This is what makes it nasty. Every 'spot the phish' habit we have trained on is about catching a fake. The wrong domain, the off-color logo, the cert warning. Here there is no fake. The page is genuinely microsoft.com. The token grant is genuinely Microsoft issuing a token. The only lie in the entire transaction is the unspoken assumption that you are the one who kicked it off. You are not. The attacker is, and you are politely finishing their login for them.
Hunt It in Your Own Tenant
Want to know if this already happened in your tenant? The Microsoft Graph PowerShell module will tell you. You need the module installed and access to Entra sign-in logs. Available retention periods and reporting capabilities depend on your licensing tier.
# One-time: install the module Install-Module Microsoft.Graph -Scope CurrentUser # Connect with just the scope you need Connect-MgGraph -Scopes 'AuditLog.Read.All'
Now pull the last 7 days of sign-ins and keep only the ones that used the device code flow. I filter client-side on AuthenticationProtocol because the server-side $filter does not reliably support that property across tenants:
$start = (Get-Date).AddDays(-7).ToString('yyyy-MM-ddTHH:mm:ssZ')
Get-MgAuditLogSignIn -Filter "createdDateTime ge $start" -All |
Where-Object { $_.AuthenticationProtocol -eq 'deviceCode' } |
Select-Object CreatedDateTime, UserPrincipalName, AppDisplayName, IpAddress,
@{ N = 'City'; E = { $_.Location.City } },
@{ N = 'Country'; E = { $_.Location.CountryOrRegion } } |
Sort-Object CreatedDateTime -Descending |
Format-Table -AutoSize
A clean tenant gives you either nothing or a short list you recognize, with your own admin box connecting to Azure SQL (sample output, values are illustrative):
CreatedDateTime UserPrincipalName AppDisplayName IpAddress City Country -------------------- -------------------- -------------------------- ------------- ------- ------- 2026-06-14 09:12:03 dba@contoso.com Microsoft Command Line ... 203.0.113.10 Cozumel MX
What you are hunting for is the row nobody can explain. A sign-in no one on your team started, from somewhere you do not operate, often against an app you never deploy:
CreatedDateTime UserPrincipalName AppDisplayName IpAddress City Country -------------------- -------------------- -------------------------- ------------- ------- ------- 2026-06-13 02:47:55 finance@contoso.com Microsoft Authentication.. 185.220.101.4 Unknown RO
Device code flow is something developers and admins use to log in from places a browser cannot easily go. So when a finance mailbox completes one at 3 AM from a country you don't operate in, that is the tell. Nobody on your team started that login. Someone else did, and your user finished it for them.
What To Actually Do
Never finish a sign-in you did not start.
A device code is only safe when you generated it yourself. A code that arrives by email or Teams that you did not ask for is bait, every single time. There is no legitimate reason for someone to send you one in this fashion.
Admins: block the flow if you do not need it.
Microsoft Entra Conditional Access can block the device code flow tenant-wide. Most organizations use it in a handful of narrow spots, so a default block with a tight exception list could shut a lot of this down. If your team only hits device code auth for the odd Azure SQL connection, you might consider whether you even need it enabled broadly.
If you got caught, report it.
The FBI is collecting these at the Internet Crime Complaint Center. Revoke sessions, rotate where you can, and then file.
The convenience that lets you authenticate to a database from a headless box with no browser is the same convenience that lets a $250 kit drain a mailbox. The flow is not the villain. Typing a code you did not ask for is.
More to Read
FBI IC3 Public Service Announcement on Kali365
Bitdefender: Kali365 phishing kit breaks Microsoft 365 accounts, no password required
Arctic Wolf: Token Bingo, don't let your code be the winner
Internet Crime Complaint Center (file a complaint)
No comments:
Post a Comment