{
  "name": "Token Bingo: Don't Let Your Code be the Winner",
  "slug": "token-bingo-dont-let-your-code-be-the-winner",
  "description": "In early April 2026, a large-scale device code phishing campaign targeted organizations across multiple sectors and regions, exploiting OAuth 2.0 Device Authorization Grant. Threat actors leveraged the Kali365 phishing-as-a-service platform, originating primarily from IP address 216.203.20[.]95. The campaign used high-fidelity lures directing victims to Microsoft's legitimate device login flow, where users unknowingly authorized threat actor-controlled sessions. Captured OAuth tokens enabled immediate mailbox access and post-compromise activities. In some cases, attackers established malicious inbox rules to suppress security notifications, extending dwell time. The Kali365 platform operates as a multi-tenant PhaaS ecosystem supporting both device code abuse and adversary-in-the-middle session capture, featuring rapid lure generation across multiple languages and file types, Cloudflare Worker-hosted pages, and token sharing capabilities between affiliates.",
  "published": "2026-04-25T11:35:30+00:00",
  "created_at": "2026-04-25T11:35:30+00:00",
  "modified_at": "2026-04-27T12:57:59+00:00",
  "created_at_opencti": "2026-04-25T11:35:30+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-04-25",
    "credential-theft",
    "device code phishing",
    "inbox rules",
    "kali365",
    "microsoft 365",
    "oauth abuse",
    "phishing-as-a-service",
    "token theft"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "216.203.20.95"
      },
      {
        "id": "",
        "name": "199.91.220.111"
      },
      {
        "id": "",
        "name": "09bb7e568e573497e22bfa3f36d71fe9d104899826608affedb25d988f391c85"
      },
      {
        "id": "",
        "name": "883d5d4a73b0ac8cf4f78fe46d8f4e76e21508872836f2b439af2de4a205128e"
      },
      {
        "id": "",
        "name": "2fa6fc2199d3be55e240500d87e4484f39b9315bf336be25434f6716b8d28ec8"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:b0df71439ab74c85",
        "name": "Kali365",
        "slug": "kali365"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "Education"
      },
      {
        "id": "",
        "name": "Manufacturing"
      },
      {
        "id": "",
        "name": "Healthcare"
      },
      {
        "id": "",
        "name": "Government"
      },
      {
        "id": "",
        "name": "v2.kali365.xyz"
      },
      {
        "id": "",
        "name": "duemineral.uk"
      },
      {
        "id": "",
        "name": "kali365.xyz"
      },
      {
        "id": "",
        "name": "api.kali365.xyz"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69ecc3226a3aeb6f5b7202e3",
    "https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/"
  ]
}