FBI Warns Kali365 Phishing Kit Is Stealing Microsoft 365 Tokens at Scale — And MFA Won’t Save You
Table of Contents
The FBI just dropped a public service announcement that should terrify every IT administrator running Microsoft 365: a phishing-as-a-service platform called Kali365 is stealing OAuth access tokens at scale, completely bypassing multi-factor authentication. First spotted in April 2026, Kali365 has already been used in hundreds of attacks across manufacturing, education, government, healthcare, and financial services — and it costs just $250 a month.
If your organization relies on MFA as the last line of defense for Microsoft 365, this is your wake-up call. It’s not enough anymore.
Kali365 Phishing: The FBI’s New Warning
On May 21, 2026, the FBI’s Internet Crime Complaint Center (IC3) published PSA 260521, formally warning the public about Kali365. The platform, primarily distributed through Telegram, provides cyber threat actors with everything they need to hijack Microsoft 365 accounts without ever needing to crack a password or intercept an MFA code.
This isn’t a theoretical threat. Security firms including Arctic Wolf and Proofpoint documented hundreds of successful attacks in April 2026 alone, hitting companies and government agencies across North America and Europe. The FBI’s decision to issue a public warning — rather than a private advisory — signals how widespread and serious this threat has become.
What makes Kali365 particularly dangerous is its use of device code phishing, a technique that exploits a legitimate Microsoft authentication flow. Unlike traditional phishing that tries to capture passwords, Kali365 steals the authentication tokens themselves — the digital equivalent of stealing someone’s key rather than picking their lock.
How Kali365 Bypasses MFA Completely
To understand why Kali365 is so effective, you need to understand the fundamental vulnerability it exploits. Traditional MFA works by requiring something you know (password) and something you have (phone, security key). The assumption is that an attacker who steals your password still can’t get in without your second factor.
Kali365 sidesteps this entire model. Instead of trying to steal your credentials, it tricks you into authenticating through a legitimate Microsoft login flow — and then captures the OAuth access token that Microsoft generates after you successfully complete MFA. The attacker never needs your password, never needs to intercept your MFA code, and never triggers any of the suspicious login alerts that traditional phishing attempts would.
Once the attacker has your OAuth access token, they have full access to your Microsoft 365 account — email, OneDrive, SharePoint, Teams, and everything else — for as long as the token remains valid. And because the authentication was legitimate from Microsoft’s perspective, there are no red flags in the audit logs.
Device Code Phishing Explained
The specific technique Kali365 uses is called device code phishing, and it exploits a feature Microsoft designed for devices without keyboards, like smart TVs or IoT devices.
Here’s how the legitimate flow works: when you want to sign into Microsoft on a device that can’t easily accept keyboard input, the device generates a code. You go to microsoft.com/devicelogin on another device, enter the code, and authenticate normally (including MFA). The original device receives an access token and you’re logged in.
Kali365 weaponizes this flow. The attacker initiates the device authorization process themselves, generating a legitimate Microsoft device code. They then send this code to the target through a phishing email, a Teams message, or a social engineering campaign. The email might say something like “Click here to verify your account” or “Enter this code to complete a security review.”
When the victim enters the code on Microsoft’s genuine login page and completes their normal MFA process, Microsoft issues an OAuth access token — which goes directly to the attacker’s device instead of the victim’s. The victim has just authenticated the attacker’s session without realizing it.
The beauty of this attack, from the attacker’s perspective, is that every step happens on legitimate Microsoft infrastructure. The login page is real. The MFA prompt is real. The only fraudulent element is who initiated the device code — and that’s invisible to the victim.
Who Is Getting Hit
The victim profile is broad and alarming. According to documented cases from April and May 2026, Kali365 attacks have successfully targeted manufacturing companies across the US Midwest, public school districts and university systems, state and local government agencies, insurance companies, financial services firms, and healthcare organizations in both North America and Europe.
The diversity of targets suggests that Kali365’s customers — the cybercriminals buying the service — are running wide-ranging campaigns rather than focusing on specific industries. This is consistent with a broader trend in cybercrime where sophisticated tools get commoditized and used indiscriminately.
Once inside a Microsoft 365 account, attackers typically use the access for business email compromise (BEC) schemes, internal phishing to other employees, data theft from OneDrive and SharePoint, and setting up email forwarding rules to maintain persistent access even after the original token expires.
The Kali365 Business Model
Kali365 operates as a subscription service with a straightforward pricing model: $250 per month per tenant, or $2,000 for an annual subscription. For that price, customers get AI-generated phishing lures customized for different industries, automated campaign templates, real-time tracking dashboards showing which targets have clicked and authenticated, and OAuth token capture and management capabilities.
The low barrier to entry is the real danger. At $250 a month, even unsophisticated cybercriminals can run campaigns that bypass the security measures most organizations consider state-of-the-art. The platform’s AI-generated phishing lures mean that poor English or obvious formatting mistakes — the traditional red flags that alert users to phishing — are largely eliminated.
This democratization of advanced phishing capabilities is part of a broader trend in AI-assisted cyberattacks that security professionals have been warning about throughout 2026.
Why Traditional Defenses Fail
The reason Kali365 is so effective is that it doesn’t attack the authentication mechanism — it attacks the trust model. Most organizations have invested heavily in MFA precisely because it stops credential-based attacks. But Kali365 doesn’t steal credentials. It makes you authenticate on behalf of the attacker, which means your MFA is working exactly as designed — it’s just protecting the wrong person’s session.
Email filters often miss Kali365 campaigns because the phishing emails don’t contain traditional indicators of compromise. There are no suspicious URLs to block — the victim is directed to microsoft.com, which is as legitimate as it gets. There are no malicious attachments. The only payload is a text string (the device code) that looks innocuous to automated scanning tools.
Conditional access policies can help, but most organizations haven’t configured them to specifically block device code flows. And even when they do, the configuration needs to be precise — overly broad blocking can break legitimate device code scenarios that employees rely on.
How to Protect Your Organization
Defending against Kali365 requires a multi-layered approach that goes beyond traditional MFA.
Block Device Code Authentication: If your organization doesn’t need device code flow (most don’t), disable it entirely through Azure AD Conditional Access policies. This is the single most effective mitigation.
Deploy Phishing-Resistant MFA: Switch to FIDO2 security keys or Windows Hello for Business. These methods bind authentication to a specific device and can’t be proxied through a device code flow.
Monitor Token Activity: Implement monitoring for unusual OAuth token usage patterns. If a token is being used from a different IP, device, or location than where the authentication occurred, that’s a strong indicator of token theft.
Train Users on Device Code Phishing: Most security awareness training focuses on fake login pages and suspicious links. Update your training to include device code phishing scenarios — teach employees that being asked to enter a code at microsoft.com/devicelogin is suspicious unless they specifically initiated the process themselves.
Review Email Rules Regularly: Attackers who gain access through Kali365 often set up email forwarding rules to maintain access. Regular audits of mailbox rules can catch this persistence mechanism.
For organizations that have already been targeted, the FBI recommends reviewing Azure AD sign-in logs for device code authentication events, checking for unauthorized email forwarding rules, revoking all active sessions for potentially compromised accounts, and reporting incidents to IC3.gov.
The Bottom Line
Kali365 represents a fundamental shift in the phishing landscape. For years, MFA was the answer to credential theft. Now, tools like Kali365 have turned MFA from a security solution into a security assumption that attackers know how to exploit.
The FBI’s public warning isn’t alarmism — it’s an acknowledgment that the traditional security model for cloud-based services needs to evolve. Organizations that treat MFA as a silver bullet are the ones most vulnerable to Kali365 and the inevitable copycats that will follow.
At $250 a month, the barrier to entry for bypassing your organization’s MFA is lower than your monthly cloud storage bill. If that doesn’t change your security strategy, nothing will.
