FBI Warns: Kali365 Phishing Bypasses Microsoft 365 MFA Globally

The Federal Bureau of Investigation (FBI) has issued a critical public service announcement (PSA) warning individuals and organizations about a new and highly sophisticated phishing-as-a-service (PhaaS) platform known as Kali365. This platform poses a significant threat to Microsoft 365 users globally, as it is designed to bypass traditional multi-factor authentication (MFA) mechanisms and gain persistent access to accounts without the need to steal user passwords. First identified in April 2026, Kali365 has rapidly gained traction among cybercriminals, primarily being distributed and promoted through Telegram channels. The service dramatically lowers the technical barrier for attackers, providing a turnkey solution that includes AI-generated phishing lures, automated campaign templates, real-time dashboards for tracking targets, and the crucial ability to capture OAuth tokens. This makes it accessible even to less technically skilled fraudsters, enabling them to launch sophisticated phishing campaigns for a subscription fee reportedly as low as US $250 per month or $2,000 per year. The insidious nature of the Kali365 scam lies in its exploitation of a legitimate Microsoft feature called 'device code flow.' This feature is typically used to authenticate devices that lack easy input methods, such as smart TVs or gaming consoles, by having the user enter a short code on a separate, authenticated device. The Kali365 attack mimics this process: victims receive a carefully crafted phishing email, often impersonating trusted cloud services like SharePoint, OneDrive, or Microsoft Teams, or presenting urgent document-sharing requests. This email contains a device code and instructs the recipient to visit a legitimate Microsoft verification page to enter it. When a user, believing they are following a legitimate process, navigates to the genuine Microsoft page and inputs the provided code, they unknowingly authorize the attacker's device to access their account. At this point, the attacker captures the OAuth access and refresh tokens. These tokens are essentially digital keys that grant unfettered and persistent access to the victim's Microsoft 365 environment, including services like Outlook, Teams, and OneDrive, often without triggering further password prompts or MFA challenges. This means there is no fake login page for the victim to spot, no misspellings in the URL to detect, and valid SSL certificates, making the attack highly deceptive. Security researchers have documented hundreds of Kali365 attacks in April alone, targeting organizations across North America, Europe, the Middle East, and Africa. The victims in these attacks frequently had MFA deployed, highlighting Kali365's ability to circumvent this widely adopted security measure. The FBI's advisory, issued around May 21, 2026, emphasizes that while MFA is still a crucial layer of defense, users must be aware that unknowingly approving a login through this device code flow can negate its protection. To mitigate the risk of Kali365-like threats, the FBI and cybersecurity experts recommend several measures. Organizations should consider restricting or blocking device code flow through conditional access policies, with exceptions only for essential business processes. Users should be extremely cautious about unexpected emails or messages that demand immediate action or present device codes, especially if they did not initiate a login process. It's also advised to regularly review active sessions and connected applications within Microsoft 365, enable security alerts, and report any suspicious activity to relevant authorities like the Internet Crime Complaint Center (IC3). The emergence of Kali365 represents an escalation in phishing sophistication, moving beyond credential theft to token hijacking and emphasizing the need for continuous vigilance and adaptive security strategies.

Frequently Asked Questions

Read Full Story on Quick Digest