A successful Kali365 attack gives adversaries persistent, MFA-bypassed access to an organization's email, shared files, and internal collaboration channels — the core infrastructure of most business operations. Attackers commonly use this access to conduct business email compromise (BEC) fraud, exfiltrate sensitive contracts or financial data, and move laterally by impersonating executives in Teams or Outlook. Organizations subject to GDPR, HIPAA, or SOC 2 face mandatory breach notification obligations if email or file content containing personal or regulated data is accessed, with potential for significant regulatory fines and reputational damage.
You Are Affected If
Your organization uses Microsoft 365 (any plan) for email, SharePoint, OneDrive, or Teams
The OAuth device code flow is not blocked via Entra ID Conditional Access policy
Users can authenticate to Microsoft 365 from unmanaged or non-compliant devices
Your SIEM or security team does not actively monitor Entra ID sign-in logs for device code authentication events
You rely on standard MFA (SMS, authenticator app push) rather than phishing-resistant FIDO2 or certificate-based authentication
Board Talking Points
Attackers are using a commercial service to bypass our Microsoft 365 multi-factor authentication without stealing passwords, by tricking employees into approving access on a legitimate Microsoft page.
Security should disable the specific authentication method being abused in our Microsoft 365 tenant within 48 hours and audit for any accounts already compromised.
If left unaddressed, any employee could unknowingly hand an attacker persistent access to company email, files, and internal communications with no further interaction required.
GDPR — Microsoft 365 email and OneDrive may contain personal data of EU data subjects; unauthorized persistent access constitutes a personal data breach requiring assessment under Articles 33–34
HIPAA — Organizations using Microsoft 365 to store or transmit ePHI must assess token-based account compromise as a potential breach under the HIPAA Breach Notification Rule
SOC 2 — Persistent OAuth token access without credential compromise directly implicates SOC 2 CC6 (Logical and Physical Access Controls) and may require disclosure to auditors
