Entra ID Kali365 User-Agent Detected

The Kali365 (Kali365 Live) platform is a phishing-as-a-service (PhaaS) tool distributed via Telegram that automates OAuth 2.0 device code phishing and adversary-in-the-middle (AiTM) session capture against Microsoft 365 and Microsoft Entra ID. This platform provides affiliates with AI-generated lures, automated device code phishing campaigns, and OAuth token capture. The Kali365 Electron desktop client identifies itself with the user agent kali365-live/1.0.0 when polling for and replaying captured OAuth tokens. Detection of this user agent in Entra ID sign-in logs, Entra ID audit logs, or the Microsoft 365 unified audit log indicates that an attacker-controlled Kali365 client is interacting with the tenant using stolen tokens. Given its nature as a criminal service with no legitimate enterprise use, this user agent serves as a high-fidelity indicator of active account compromise.

Attack Chain

1. The attacker gains initial access through phishing, sending a lure with a Microsoft device code.
2. The victim enters the device code on a legitimate Microsoft verification page.
3. The victim unknowingly authorizes the attacker’s Kali365 application.
4. Kali365 captures the resulting OAuth access and refresh tokens.
5. The attacker uses the stolen OAuth tokens to access Microsoft 365 resources.
6. The attacker uses the access to perform actions such as accessing mailboxes, creating inbox rules, or downloading files from OneDrive/SharePoint.
7. The attacker maintains persistence via device registration in Entra ID.
8. The attacker achieves persistent, MFA-free access to Microsoft 365 resources like Outlook, Teams, and OneDrive.

Impact

A successful attack leveraging Kali365 can result in unauthorized access to sensitive data, compromised accounts, and persistent access to Microsoft 365 resources. The impact includes potential data exfiltration, business email compromise, and lateral movement within the organization. Given the criminal nature of the Kali365 service, affected organizations face significant reputational and financial risks. Successful exploitation allows attackers to bypass MFA and maintain persistent access, making detection and remediation critical.

Recommendation

• Deploy the “Entra ID Kali365 Default User-Agent Detected” rule to detect the Kali365 user agent in your environment.
• Investigate any alerts triggered by the rule, focusing on the user and source IP involved, using the provided triage steps in the rule’s note.
• Block the Kali365 infrastructure IOCs (216.203.20.95, 162.243.166.119, 199.91.220.111) at your network perimeter.
• Review and remove any rogue device registrations created by the user, as identified in the rule’s note.
• Apply Conditional Access policies to the device code grant to require managed/compliant devices.