FBI Warns of Kali365 Phishing Kit Hijacking Microsoft 365

On May 21, 2026, the FBI warned that a phishing-as-a-service kit called Kali365 is hijacking Microsoft 365 accounts by stealing OAuth tokens through device code phishing. It bypasses multi-factor authentication without ever capturing a password, giving attackers persistent access to Outlook, Teams, and OneDrive.

What is Kali365 and what did the FBI warn about?

Kali365 is a subscription phishing-as-a-service (PhaaS) platform that lets attackers steal Microsoft 365 access tokens and bypass multi-factor authentication (MFA) without ever capturing a user's password. The FBI's Internet Crime Complaint Center (IC3) issued a public service announcement on May 21, 2026, warning that the kit first appeared in April 2026 and spreads mainly through Telegram channels.

Phishing-as-a-service means the criminal tooling is rented like any other software product. According to the FBI advisory, Kali365 hands less-technical attackers a ready-made toolkit: AI-generated phishing lures, automated campaign templates, real-time dashboards for tracking targeted victims, and OAuth token capture built in. In the FBI's words, the platform "lowers the barrier of entry," which is the part that should concern any business owner — the people who can now run this attack no longer need much skill.

Security researchers at Arctic Wolf first reported Kali365 activity in April 2026 after observing a campaign that targeted Microsoft 365 identities across more than 340 organizations in the United States, Canada, Australia, New Zealand, and Germany, as Cybersecurity Dive reported. This is not a theoretical proof of concept. It is an active, cross-border campaign with a commercial business model behind it.

Why does a phishing kit that bypasses MFA matter to your business?

It matters because multi-factor authentication has been the single security control most businesses trusted to stop account takeover, and Kali365 walks around it. Once an attacker holds your OAuth tokens, they get persistent access to your Microsoft 365 environment — email, files, chat, and often any other cloud app connected through single sign-on — without triggering another login prompt.

For a mid-market company, that access is the whole business. An attacker inside Outlook can read contracts, redirect wire transfers, and impersonate executives. Inside OneDrive and SharePoint, they can quietly copy customer records, financial data, and intellectual property. Inside Teams, they can watch internal conversations to time their next move. None of this requires malware on a laptop; the attacker is simply logged in as a trusted user.

Andrea Sivieri, Chief Product and Technology Officer at CoreView, framed the shift plainly in comments to TechRadar Pro: attackers are no longer breaking into Microsoft 365 — they are logging in, using features Microsoft built for legitimate purposes. That is the uncomfortable part. There is no exploit to patch here, because nothing is technically broken.

How does Kali365 break into a Microsoft 365 account?

Kali365 abuses Microsoft's legitimate OAuth 2.0 Device Authorization grant flow — the same mechanism that lets a smart TV, conference room system, or printer sign in using a short code displayed on screen. The attack tricks a user into approving that code on the attacker's behalf, then captures the resulting tokens.

The FBI advisory breaks the attack into four steps. First, the lure: the victim gets an email impersonating a trusted cloud productivity or document-sharing service, containing a device code and instructions to visit a real Microsoft verification page. Second, authorization: the victim goes to the genuine Microsoft page at microsoft.com/devicelogin and pastes in the code, unknowingly authorizing the attacker's device. Third, token theft: the attacker captures the OAuth access and refresh tokens. Fourth, persistence: the attacker reaches Microsoft 365 services like Outlook, Teams, and OneDrive without a password and without any further MFA challenge.

The reason this is so effective is that every link in the chain looks legitimate to the victim. The destination really is Microsoft's own login portal, so URL inspection and "check the sender" training do not catch it. The user believes they are completing a routine verification, and the MFA prompt they already passed feels like proof they are safe.

Who is being targeted by device code phishing?

Any organization that runs on Microsoft 365 is a potential target, and the early campaign data shows attackers casting a wide net rather than focusing on one sector. The Arctic Wolf-linked campaign that preceded the FBI warning hit more than 340 organizations across five countries, spanning ordinary businesses, not just high-profile enterprises.

Device code phishing is attractive to attackers precisely because it scales. The Kali365 subscription model means dozens of separate operators can run the same attack at once, and captured tokens are stored on the platform and can be shared or sold to other criminals who were not involved in the original phishing. A token stolen from your finance manager today can end up in the hands of a ransomware affiliate next week.

This is the kind of cross-cloud exposure where an experienced security leader earns their keep. A vCISO or fractional CISO looks past the single mailbox and asks what else that one identity can reach — because under single sign-on, one compromised Microsoft 365 account often unlocks Salesforce, file storage, and every other connected SaaS app the user touches.

What should your business do?

The most effective response is to restrict the device code authentication flow, because almost no ordinary employee needs it. The FBI's own guidance leads with this, and it closes the specific door Kali365 walks through.

Here is what a security team should prioritize in the next several days:

•       Create a conditional access policy that blocks device code flow for all users, with narrow exceptions only for the specific business processes that genuinely require it.

•       Audit existing device code flow usage first, so you can identify legitimate dependencies (shared room devices, certain IoT hardware) before you turn the policy on and avoid breaking them.

•       Block authentication transfer policies that let users move a sign-in from a computer to a mobile device, which is another path these attacks abuse.

•       Exclude your emergency "break-glass" access accounts from the restriction so you do not lock yourself out, as the FBI specifically cautions.

•       Watch your Microsoft 365 sign-in logs for unfamiliar devices, unusual locations, unexpected session activity, and new inbox rules — the telltale signs of token-based compromise rather than a password breach.

If your team does not have the time or the in-house identity expertise to roll out conditional access cleanly without disrupting legitimate users, that is exactly the kind of work Purple Shield Security handles for small and mid-market companies. The goal is to close the gap deliberately, not to flip a switch and hope nothing breaks.

Frequently asked questions

Does my MFA still protect us against Kali365?

Not on its own. Kali365 steals the session tokens issued after you complete MFA, so the attacker inherits an already-authenticated session and is never challenged again. Standard MFA still matters, but the FBI's recommended defense here is restricting device code flow and moving toward phishing-resistant MFA, not relying on push or code-based MFA alone.

How do I tell if a Microsoft 365 account was already compromised this way?

Review your Microsoft 365 audit and sign-in logs for indicators that point to token theft rather than a password breach: unfamiliar device registrations, sign-ins from unexpected locations, new or unusual inbox forwarding rules, and active sessions you cannot account for. The FBI specifically calls out unauthorized devices and active sessions as evidence to collect if you report an incident.

We are a small company. Are we really a target?

Yes. The pre-warning campaign linked to Kali365 hit more than 340 organizations across five countries, and the platform's whole purpose is to let low-skill attackers run mass campaigns cheaply. Small and mid-market firms running Microsoft 365 are squarely in scope, often precisely because they assume they are too small to notice.

Is restricting device code flow going to break anything?

It can, if you do it blindly. Device code flow is legitimately used by some conference room systems, IoT hardware, and shared devices. That is why the FBI advises auditing existing usage first and creating limited exceptions, rather than blocking it for everyone with no review. Done in that order, the disruption is usually minimal.

Kali365 is a reminder that attackers have moved from stealing passwords to stealing trust.

If you are not sure whether your Microsoft 365 environment is exposed to device code phishing — or whether your conditional access policies are configured to stop it — that is worth a conversation. Purple Shield Security helps small and mid-market businesses lock down cloud identity without breaking the way their people actually work. Talk to us about a risk assessment.

By Yonatan Hoorizadeh — CISSP, CISM, CRISC, AAISM

Published By: Purple Shield Security

Published: June 2, 2026

Last updated: June 2, 2026