FBI Warns: ‘Kali365’ Phishing Service Targets Microsoft 365 Accounts
A new phishing service is turning a legitimate Microsoft login process into a shortcut for account takeovers.
The FBI warned that Kali365, a phishing-as-a-service platform first seen in April 2026, can help attackers hijack Microsoft 365 accounts by abusing Microsoft’s device code authentication flow. Instead of stealing passwords or MFA codes, attackers capture OAuth tokens that can provide access to services such as Outlook, Teams, and OneDrive.
For IT teams, the danger is that the attack can look legitimate at the moment users are most likely to trust it.
Kali365 lowers the bar for Microsoft 365 attacks
The FBI said in a May 21 public service announcement that Kali365 has been primarily distributed through Telegram and is designed to help cyber threat actors obtain Microsoft 365 access tokens while bypassing MFA protections.
“Kali365 lowers the barrier of entry,” the FBI said, citing AI-generated phishing lures, automated campaign templates, real-time victim tracking dashboards, and OAuth token capture capabilities.
The attack starts with a phishing email that impersonates a trusted cloud productivity or document-sharing service. The message includes a device code and instructions to visit Microsoft’s legitimate verification page.
Once the target enters the code, they unknowingly authorize the attacker’s device. The attacker then captures OAuth access and refresh tokens, which can allow persistent access to the victim’s Microsoft 365 account.
The FBI said attackers can access Microsoft 365 services “without needing a password or completing any additional MFA challenges.”
Device code phishing creates a trust problem
Device code authentication is a legitimate Microsoft workflow used by devices with limited input options, such as smart TVs, printers, conference room systems, streaming devices, and Internet of Things (IoT) devices.
That familiarity can make the phishing technique harder for users to recognize. The victim may see a real Microsoft page rather than a fake login portal, but the code they enter links the session to an attacker-controlled device.
BleepingComputer reported that Kali365 abuses Microsoft’s OAuth 2.0 Device Authorization grant flow to target Microsoft Entra and Microsoft 365 accounts. The publication also noted that device code phishing has been increasingly used by cybercriminal groups and phishing platforms in 2026.
The impact can extend beyond email. If a compromised Microsoft account has single sign-on access to other cloud applications, attackers may be able to reach additional business systems.
BleepingComputer reported that researchers at Arctic Wolf observed Kali365-linked activity in which attackers accessed mailboxes, created malicious inbox rules to hide activity, and registered new devices in victim environments.
Advertisement
Must-read security coverage
How organizations can reduce exposure
The FBI recommended that organizations, where possible, restrict or block device code flow through Conditional Access policies. Security teams should first audit existing device code flow usage to identify legitimate dependencies and avoid disrupting required business processes.
The agency also advised organizations to block authentication transfer policies that allow authentication sessions to move between devices.
If device code flow cannot be fully restricted, organizations should limit exceptions and exclude emergency access accounts to prevent lockouts.
Security teams should review suspicious logins, check for unauthorized devices or active sessions, and preserve phishing emails, including headers and message bodies, when investigating suspected compromise.
The FBI asked affected organizations to report incidents to the Internet Crime Complaint Center and include available information such as phishing emails, login times, IP addresses, locations, and unauthorized devices or active sessions.
For more on Microsoft security risks, read our coverage of YellowKey, a Windows zero-day that can reportedly bypass BitLocker protections.
About Author
