threat level: human

MFA Is Not a Shield: How Kali365 and Storm-2949 Are Breaking Microsoft 365 From the Inside

EP08| 2026-07-15| cybersecurity briefing

// TL;DR

  • Restrict or monitor the OAuth device authorization grant flow in Entra ID with Conditional Access
  • Harden Self-Service Password Reset
  • Apply least privilege to your Azure roles and watch for anomalous Graph API and management-plane activity, so one…

What happened

We are going to look at two separate threat actors from the spring of 2026, because together they tell one story. The first is Kali365, a Telegram-based phishing-as-a-service platform the FBI warned about in an advisory published in May of 2026. First seen in April, Kali365 lets criminals capture legitimate authorization tokens and reach Microsoft 365 environments without ever intercepting a password.

Start with Kali365. It abuses something called the OAuth device authorization grant, a legitimate sign-in flow built for devices like smart TVs that cannot show a full login screen. Here is the mechanism, and here is the analogy that makes it click. Device-code phishing is a valet stand scam.

Here is the part that matters most, because neither of these was a software vulnerability. Both attacks used systems that were working correctly. Multi-factor authentication is the bouncer checking wristbands at the front door. In the Kali365 case, the attacker did not forge a wristband and did not fight the bouncer.

The consequences scale fast. With Kali365, captured tokens enabled immediate mailbox access, contact harvesting, lateral phishing to other staff, and keyword monitoring to set up business email compromise, plus administrative actions if the token belonged to a privileged account.

How to defend against it

The through-line of every threat level: human briefing is the same: the exploited control is human, so the durable defense is a habit, not just a product. Watch the full breakdown above, and subscribe on YouTube for the weekly decode.

Sources

Primary reporting and reference material for this briefing.

<- back to all episodes