There’s been a shift in how attackers break into Microsoft 365, and it sidesteps the one control most businesses lean on: multi-factor authentication. Phishing-as-a-service kits — Kali365 and EvilTokens are two doing the rounds, rented by subscription on Telegram for a few hundred dollars — trick a staff member into approving a sign-in, then quietly capture the OAuth token behind it. As reported by The Hacker News, one related campaign tracked by security firm Huntress has already hit more than 340 organisations across five countries — Australia among them.

Here’s the part that catches people out. The attack abuses Microsoft’s legitimate “device code” sign-in flow. The victim gets an email dressed up as a shared document or a voicemail, is told to visit the real microsoft.com/devicelogin page and enter a short code, and does exactly that — MFA prompt and all. The token handed back belongs to the attacker, and it keeps working even after the password is reset. The FBI issued a public warning about Kali365 in May. The lesson isn’t that MFA is pointless — it’s essential — but that on its own it’s no longer a force field.

What to do about it: unless you have a specific reason to allow it, switch off the device code flow. In most of the Australian SMB tenants we look after, nothing legitimate uses it, yet it sits enabled by default — an open door for no real benefit. Block it with a Conditional Access policy (audit existing usage first so you don’t break anything), and revoke refresh tokens for anyone who may have been caught. Then push toward phishing-resistant sign-in such as passkeys, and keep your team’s awareness training current — this scam works precisely because the page looks completely real.

If you’re not certain whether device code flow is open in your tenant, that’s worth checking this week. Ask your IT provider, or talk to us about reviewing your Microsoft 365 sign-in policies.