Kali365 (aka Kali365 Live) is a multi-tenant Microsoft 365 phishing-as-a-service platform first seen April 2026, promoted via Telegram, ~$250/30 days or $2,000/year via the non-KYC processor Trocador. It abuses the OAuth 2.0 device authorization grant ("device code flow") to capture access and refresh tokens, bypassing MFA without handling a password, and offers a separate AitM "Cookie Link" mode for session-cookie theft. Features: AI-generated lures, Cloudflare Worker-hosted pages impersonating Adobe Acrobat Sign, DocuSign, SharePoint, OneDrive and Teams, token sharing between affiliates, and an Electron desktop client. Post-compromise activity includes malicious inbox rules to suppress alerts and rogue Entra ID device registration. Arctic Wolf documented hundreds of attacks across North America and EMEA; the FBI issued advisory PSA260521 on 21 May 2026. Kali365 shares infrastructure and lineage with the EvilTokens/CLURE device-code kits.