The FBI has issued a warning about Kali365, a phishing-as-a-service platform first detected in April 2026 that targets Microsoft 365 accounts and can circumvent multifactor authentication without stealing a user's password. Distributed primarily through Telegram, the platform gives criminal subscribers ready-made tools to compromise Outlook, Teams, and OneDrive by exploiting a legitimate Microsoft sign-in mechanism rather than a login form.

How Kali365 Abuses the Device Code Login Process

The attack does not rely on tricking victims into revealing a password. Instead, Kali365 abuses Microsoft's device code authentication flow — the same process a user might encounter when signing into a streaming service on a smart television, where a short code displayed on one screen is entered on another device to approve access.

In the criminal version, the attacker initiates a sign-in from their own device and sends the victim a phishing email that mimics a trusted productivity or file-sharing service. The email supplies a device code and directs the victim to a genuine Microsoft verification page. Because the destination URL is legitimate, password managers and browser security tools may raise no objection. Once the victim enters the code, the attacker captures OAuth access and refresh tokens, granting ongoing entry to Microsoft 365 services without triggering another MFA prompt.

The platform also supplies AI-generated phishing messages, automated campaign templates, and tracking dashboards, lowering the skill threshold for would-be attackers.

The Exposure Inside a Compromised Work Account

A single breached account hands an attacker more than data — it hands them a credible voice. From inside Outlook, a criminal can study writing style and send messages from the real account address, requesting invoice payments, file shares, or password resets from colleagues who have no obvious reason to be suspicious. The FBI describes the sequence from phishing email to full token capture as a discrete chain, each step building on the last.

What Microsoft and the FBI Recommend

Microsoft told reporters it is working to disrupt phishing-as-a-service ecosystems and cited prior Digital Crimes Unit actions against platforms including Fake ONNX, RaccoonO365, and Tycoon 2FA. The company directed customers to the FBI's guidance and its own published best practices.

The FBI's core technical recommendation is for IT teams to implement a conditional access policy that blocks device code flow for all users, with narrow exceptions for documented business needs. Before applying that restriction, the agency advises auditing current device code usage to avoid disrupting legitimate workflows. The FBI also recommends blocking authentication transfer policies and excluding emergency access accounts from any blanket restriction to prevent organizational lockouts.

For individual users, the most durable defence is straightforward: do not enter a Microsoft device code unless you personally initiated the sign-in. Unexpected codes arriving by email, Teams message, or document link should be treated as hostile regardless of how convincing the surrounding context appears.

Victims or targeted organizations should file a report with the FBI's Internet Crime Complaint Center at IC3.gov, including phishing emails, email headers, suspicious login timestamps, IP addresses, and records of any unrecognized active sessions.