Threat Analysis: Kali365 MFA Bypass and Laravel Supply Chain Compromise, What UK SMBs Need to Know
Hello, Mauven here.
This is your Daily Threat Analysis for 25th May 2026.
Two distinct threats broke this week that are directly relevant to UK SMBs. One targets your Microsoft 365 accounts in a way that most people do not realise MFA cannot stop. The other attacked the open-source software supply chain used in thousands of PHP web applications. Neither of these is theoretical. Both are active right now.
Let us go through them.
Threat One: Kali365, MFA Bypass via OAuth Device Code Phishing
The FBI published a warning this week about the Kali365 phishing-as-a-service platform. The platform is being used to hijack Microsoft 365 accounts by abusing the OAuth 2.0 Device Authorization Grant flow, and the critical point that most coverage skips over is that this attack bypasses MFA entirely.
Here is how it works. Normally, device code authentication is a legitimate Microsoft feature designed for devices that cannot display a full browser login, smart TVs, printers, IoT kit. A user is given a short code and directed to microsoft.com/devicelogin to authenticate on a different device. The problem is that this flow generates a session token the moment the user authenticates, before the attacker’s infrastructure has to do anything clever. The attacker simply waits for the victim to authenticate, then harvests the session token.
Your MFA fires. The user passes it. The session token is already stolen.
The advisory attributes activity to Kali365 operating primarily from IP address 216.203.20[.]95. Arctic Wolf’s research into the same campaign found it operating across multiple sectors and regions, with lures directing victims to Microsoft’s own legitimate device login page, which means standard anti-phishing training is of limited value here. The page the victim visits is real.
What the advisory does not say: This campaign has been running since at least early April 2026. The FBI warning came weeks into an active operation. The fact that we are now reading about it in public does not mean it started today.
The NCSC has published guidance on OAuth token theft and conditional access policy hardening. Most UK SMB tenants running Microsoft 365 through a managed service provider will have device code authentication enabled by default, because turning it off requires deliberate configuration. If your IT provider has not specifically discussed this with you, it is worth a conversation.
What UK SMBs Should Do
- Restrict or disable device code authentication flows in your Microsoft 365 tenant via Conditional Access policies. If you have no legitimate use case for it, and most SMBs do not, disable it.
- Review your Entra ID sign-in logs for any authentications via the device code flow that you do not recognise. Specifically look for sign-ins from unusual locations or IP addresses against accounts that use device code auth.
- Do not rely on MFA alone as a defence against session token theft. Token binding and phishing-resistant MFA (FIDO2/passkeys) are meaningfully stronger. Standard TOTP codes and SMS MFA do not protect against this attack.
- Ask your MSP or IT provider whether Conditional Access policies are configured in your tenant, and specifically whether device code flows are restricted.
Threat Two: Laravel Lang Supply Chain Compromise, 700+ Package Versions Backdoored
On 22nd and 23rd May 2026, the community-maintained Laravel Lang package ecosystem was compromised. According to Socket.dev’s analysis, the attack affected multiple repositories including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions, with over 700 versions across these packages now carrying a remote code execution backdoor.
The attack involved coordinated rapid tag publishing across repositories over a short window. That coordination strongly suggests organisation-level credential compromise rather than a single contributor account being taken over. Someone, or some group, had access to publishing rights across multiple repos simultaneously.
The malicious code introduced an information stealer and RCE capability. Any application that pulled in a compromised version of these packages between those dates is potentially affected.
Laravel is one of the most widely used PHP frameworks in the world. UK SMBs are not immune: a substantial proportion of custom-built web applications, e-commerce sites, client portals, and booking systems built by UK web development agencies run on Laravel. The businesses that commissioned that development often have no visibility into which packages their application depends on.
What the advisory does not say: This is not an isolated incident. The SANS Internet Storm Center is simultaneously tracking the TeamPCP campaign, which has now compromised packages across three separate ecosystems, reached GitHub’s own internal codebase, and trojanised an officially Microsoft-published Python SDK. Supply chain attacks on open-source package ecosystems have moved from occasional incidents to a sustained campaign pattern.
If you commissioned a website or application from a web development agency in the last eighteen months, and that application runs PHP or uses Laravel, you have a question to ask your developer.
What UK SMBs Should Do
- Contact your web developer or hosting provider and ask whether your application uses any Laravel Lang packages and whether they have audited for the compromised versions.
- If you manage your own Laravel application, check your
composer.jsonandcomposer.lockfiles against the list of affected packages published by Socket.dev. Update immediately. - Review application logs for any unusual outbound connections or unexpected behaviour from web applications around 22–24 May 2026.
- Ask your development agency what their process is for monitoring for supply chain compromises in dependencies. If they do not have one, that is relevant information.
The Broader Picture: Supply Chain as the New Normal
These two threats are not coincidental. The pattern across this week’s intelligence picture, Kali365 using legitimate infrastructure to bypass authentication, Laravel Lang using legitimate package repositories to distribute backdoors, TeamPCP operating across three ecosystems simultaneously, points to a consistent adversary approach: use the victim’s trust in legitimate services against them.
NCSC guidance on supply chain security has been available since 2019. Guidance on OAuth token theft and Conditional Access hardening for Microsoft 365 has been available for years. The fact that both of these attack vectors are still producing results at scale tells you something about how seriously they have been taken.
There is also a ClickFix campaign actively exploiting CVE-2026-26980 in Ghost CMS this week, injecting malicious JavaScript into sites to trigger social engineering flows against visitors. If your website runs Ghost, that needs immediate attention too.
Today’s priority is Microsoft 365 Conditional Access and a conversation with whoever manages your web applications. Start there.
Sources
| Source | Title | URL |
|---|---|---|
| BleepingComputer | FBI warns of Kali365 phishing service targeting Microsoft 365 accounts | https://www.bleepingcomputer.com/news/security/fbi-warns-of-kali365-phishing-service-targeting-microsoft-365-accounts/ |
| Arctic Wolf | Token Bingo: Don’t Let Your Code be the Winner | https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/ |
| Socket.dev | Laravel Lang Compromised with RCE Backdoor Across 700+ Versions | https://socket.dev/blog/laravel-lang-compromise |
| SANS Internet Storm Center | TeamPCP Supply Chain Campaign: Activity Through 2026-05-24 | https://isc.sans.edu/diary/rss/33016 |
| BleepingComputer | Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign | https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/ |