Token Bingo: Don’t Let Your Code be the Winner

Arctic Wolf Labs tracked a large-scale device code phishing campaign in April 2026 abusing OAuth 2.0 Device Authorization Grant to steal Microsoft 365 tokens. The campaign used the Kali365 Live phishing-as-a-service (PhaaS) platform, which supports both device code token theft and adversary-in-the-middle (AitM) session capture. Kali365 operates as a three-tier multi-tenant platform with tiered admin/agent/client roles, priced at $250/month, offering multilingual lure generation, Cloudflare Worker-hosted phishing pages, and an Electron desktop client. Post-compromise activity included malicious inbox rules to suppress security alerts and device registration to extend access. Recommendations include blocking device code flow via Conditional Access policies in Microsoft Entra ID and implementing security awareness training. Indicators of compromise including IP addresses, hostnames, and file hashes are provided.