-
The FBI alerted the public about a new Phishing-as-a-Service platform, Kali365, that lets attackers steal Microsoft 365 access tokens and bypass MFA without using login credentials.
-
Kali365 lowers the entry barrier for cyber attacks for less-skilled hackers by offering AI-generated phishing lures, real-time tracking dashboards, automated campaign templates, even OAuth token capture tools.
-
The FBI recommends blocking device code flow to stop this attack. Conditional access policies help make sure that attackers won’t gain persistent access to Outlook, Teams, and OneDrive.
On May 21, the FBI released an announcement to notify people of an emerging threat referred to as Kali365. This is not your average phishing kit. Kali365 first appeared in April 2026. Hackers are distributing it mainly through Telegram.
The platform lets cyber threat actors grab Microsoft 365 access tokens. It bypasses multi-factor authentication protocols completely. The scary part? Attackers do this without intercepting your username or password. They don’t even need to trick you into handing over a verification code.
How the Kali365 Scam Actually Works
The attack starts with a simple email. It looks like it comes from a trusted cloud service like Microsoft or SharePoint.
The email contains a device code. It tells you to visit a legitimate Microsoft verification page. Then it asks you to enter that code. Nothing looks suspicious. The page is real. The code works. That is exactly the problem.
When you paste the code, you unknowingly authorize the attacker’s device. You just gave them a key to your account. They capture OAuth access tokens and refresh tokens right then. Now they have persistent access to your Microsoft 365 environment.
They can read your Outlook emails. Browse your Team’s messages. They can download files from your OneDrive. They do not need your password. Never face another MFA challenge. The access just keeps working.
Microsoft has also warned about another large-scale phishing campaign. That campaign targets thousands of users with different techniques, showing the diverse tactics attackers use.
Kali365 makes all of this easy for less-technical criminals. The platform provides AI-generated phishing lures. It offers automated campaign templates. Attackers get a real-time dashboard to track their targets. The OAuth token capture capabilities come built in. By subscribing to the platform, anyone, skilled or not, can launch sophisticated cyber attacks.
Who Does Kali365 Target and How Can It Be Avoided?
This threat mostly goes after Microsoft 365 users, whether businesses, schools, government offices, or regular individuals using the service.
The good news? You can block this attack. The FBI says restricting device code flow is the key. Limit or block device authentication codes entirely. Create a conditional access policy that blocks device code flow for all users. Make exceptions only for required business processes.
Before you make changes, audit existing device code flow usage. Find out if any legitimate systems depend on it. Then build your policy around those needs. Also block authentication transfer policies. That prevents users from moving authentication from computers to mobile devices.
If you cannot fully restrict device code flow, protect your emergency access accounts. Exclude them from the policy to prevent lockouts. That gives you a backup way in.
How the Potential Victim Should Respond
The FBI offered some advice for those who this threat might target. Not hit by any Kali365-related incidents? Report it to the FBI without delay. You may visit the Internet Crime Complaint Center’s website: www.ic3.gov to file your complaint. Detail every piece of information you have gathered in your report.
Send them the phishing emails. Attach the full email headers and the message body. Document all suspicious login attempts, take note of the timestamps, locations, as well as the IP addresses. Spot any device access or active sessions to your account you didn’t authorize? Also, document it.
Read the Cybersecurity and Infrastructure Security Agency’s Phishing Guidance guide. It covers stopping attacks at phase one. The document provides best practices and real mitigations.
Remember the FBI’s disclaimer. They provide this information “as is” for informational purposes only. The agency clearly stated that they don’t endorse any commercial entity, product, or service. That they referenced any trademarks or a manufacturer anywhere does not mean they’ve endorsed it.
Also double-check any email that’s requesting that you enter a code. And talk to your IT team about blocking device code flow today.
