FBI warns of Kali365 phishing threat to Microsoft 365 accounts

The FBI has issued a warning about a dangerous new phishing-as-a-service (PhaaS) platform called Kali365, which specifically targets Microsoft 365 accounts by abusing OAuth device code authentication. This technique allows attackers to steal session tokens and completely bypass multi-factor authentication (MFA).

According to the FBI’s public service announcement, Kali365 first appeared in April 2026 and is distributed through Telegram channels aimed at cybercriminals. The platform provides a streamlined method for compromising Microsoft 365 accounts without needing to steal passwords or intercept MFA codes. Instead, it relies on device code phishing, an increasingly common tactic that exploits Microsoft’s legitimate OAuth 2.0 Device Authorization grant flow to gain unauthorized access to Microsoft Entra and Microsoft 365 accounts.

This authentication method was originally designed for devices with limited input capabilities, such as smart TVs, conference room systems, streaming devices, printers, and IoT gadgets. These devices authenticate by displaying a short code that users enter at Microsoft’s device code login portal, http://microsoft.com/devicelogin.

In February, BleepingComputer reported that extortion groups like ShinyHunters were already using device-code and voice phishing to target Microsoft Entra accounts. In these attacks, threat actors initiate the device authorization process themselves to generate a code. They then trick victims into entering that code on Microsoft’s login page through phishing emails and social engineering. Once the victim enters the code and completes MFA, Microsoft issues an OAuth access token that grants the attacker full access to the account without requiring them to solve any MFA challenges.

The attacker now has complete access to all applications the user normally accesses through their single-sign-on account, including Microsoft 365, Salesforce, or other cloud SaaS platforms. This access is then used to steal data.

The FBI warns that Kali365 empowers even low-skilled attackers with advanced phishing capabilities. These include AI-generated phishing lures, automated campaign templates, real-time victim-tracking dashboards, and token-capture functionality.

Security researchers at Arctic Wolf reported on Kali365 activity in April after observing a widespread campaign targeting organizations globally. The researchers noted that the campaigns primarily targeted Microsoft 365 environments using phishing emails that directed victims to Microsoft’s device code login portal. There, victims unknowingly authorized attackers to access their accounts.

The resulting attacks gave hackers access to victims’ mailboxes, where they created malicious inbox rules designed to hide their activity. In some cases, attackers also registered new devices in victims’ Microsoft environments, extending their access further into the breached network.

Arctic Wolf found that Kali365 operates like a business, with administrators managing product development, resellers promoting the service to other threat actors, and affiliates conducting the actual phishing attacks. The platform offers two attack modes: device code phishing and an adversary-in-the-middle (AitM) mode called Cookie Link. Cookie Link proxies victims through attacker-controlled infrastructure that captures authenticated browser sessions, session cookies, and tokens after targets log in and solve MFA challenges.

The FBI recommends that companies restrict or completely block device code authentication flows using Conditional Access policies where possible. Organizations should also audit existing device code usage and block authentication transfer policies that allow sessions to move between devices. The agency urges impacted organizations to report incidents to the Internet Crime Complaint Center and preserve phishing emails, suspicious login information, and unauthorized device registrations.

Device code phishing has seen widespread adoption in 2026, with other threat actors and platforms now using it as part of their campaigns. This includes EvilTokens PhaaS and Tycoon2FA, which are also leveraging this technique to compromise Microsoft 365 and Entra accounts.