Kali365 Warning: How This Microsoft 365 Phishing Kit Bypasses MFA and How To Protect Your Business

Important customer warning: the FBI’s Internet Crime Complaint Center issued a May 21, 2026 public service announcement about a phishing-as-a-service kit called Kali365. This is not a normal fake-login-page scam. It abuses a real Microsoft sign-in feature called device code flow, which means a victim may be sent to a legitimate Microsoft page and still accidentally give an attacker access to Microsoft 365.

For anyone using Outlook, Microsoft 365, OneDrive, Teams, SharePoint, or Microsoft Entra ID, this matters because the attacker is not just trying to steal a password. The goal is to steal OAuth access and refresh tokens. Those tokens can let the attacker use the victim’s Microsoft 365 account after the victim has already completed MFA.

The Short Version

• What Kali365 is: a phishing-as-a-service platform that helps attackers run Microsoft 365 device-code phishing campaigns.
• Why it is dangerous: it can bypass normal MFA because the victim completes the real Microsoft sign-in process for the attacker’s session.
• What users should remember: do not enter a Microsoft device code because an email, Teams message, document invite, or text message told you to.
• What businesses should do first: audit device code flow usage, then block or tightly restrict it with Microsoft Entra Conditional Access where possible.
• What to check after a suspected click: suspicious sign-ins, unfamiliar devices, active sessions, inbox rules, OAuth app consent, forwarding rules, and unusual email sent from the account.

What The FBI Said About Kali365

The FBI IC3 warning describes Kali365 as an emerging phishing-as-a-service platform first seen in April 2026. According to the FBI, Kali365 has primarily been distributed through Telegram and enables threat actors to obtain Microsoft 365 access tokens while bypassing MFA without intercepting the user’s credentials.

The FBI also explains why this kit lowers the skill needed to run an attack. The service can provide AI-generated phishing lures, automated campaign templates, real-time target tracking dashboards, and OAuth token capture capabilities. In plain English: a less technical criminal can rent or subscribe to a ready-made phishing operation instead of building one from scratch.

This is the kind of attack that can hit a small business just as easily as a large company. It does not require the attacker to break Microsoft. It tricks the user into using a legitimate Microsoft authentication flow in the wrong context.

How The Attack Works Without Giving Away A Playbook

A normal device code sign-in is meant for devices that are hard to type on, such as TVs, conference room devices, or other limited-input systems. The device shows a short code, and the user signs in on a separate phone or computer to approve that device.

Kali365 turns that convenience into a trap. The attack usually starts with a phishing message that looks like a document share, cloud storage alert, meeting invite, voicemail notice, or Microsoft 365 security prompt. The message tells the victim to visit Microsoft’s real verification page and enter a code.

That is the twist: the page can be real. The problem is the code. The code belongs to a sign-in session started by the attacker. When the victim enters it and completes the prompts, the victim may unknowingly authorize the attacker’s device or session.

After that, the attacker can receive Microsoft 365 access and refresh tokens. Those tokens are what let apps stay signed in without asking for a password every few minutes. If the attacker gets usable tokens, they may be able to reach Outlook, Teams, OneDrive, SharePoint, and connected services without needing to know the password.

Why MFA Alone Is Not Enough For This One

MFA still matters. You should keep it on. But this attack is a good example of why “we have MFA” is not the same as “we are protected from every account takeover.”

In a normal phishing attack, the criminal may try to capture a password and then ask for a second factor. In this device-code style attack, the victim is guided through the real Microsoft sign-in process and may complete MFA themselves. The attacker benefits from the victim approving the attacker’s session.

That means businesses need policies that reduce risky authentication flows, not just user reminders. Microsoft Entra Conditional Access can target authentication flows such as device code flow. Microsoft’s own guidance says device code flow is a higher-risk method and recommends blocking it wherever possible, with limited documented exceptions for real business needs.

What A Customer Might Actually See

The user may not see a scary fake login screen. They may see a normal-looking message and then a real Microsoft page. That is what makes this attack so effective.

• An unexpected Outlook email saying a document, invoice, voicemail, fax, Teams message, or shared folder is waiting.
• A message that includes a short sign-in or device code and tells the user to enter it on a Microsoft page.
• A request to “verify your device,” “finish setting up Outlook mobile,” “open a protected document,” or “re-authenticate Microsoft 365.”
• A Microsoft sign-in prompt the user did not personally start from their own device or app.
• A request that feels urgent, such as payroll, HR, billing, password expiration, account suspension, or customer document access.

The safest rule is simple: only enter a Microsoft device code when you are the one physically signing into a device in front of you, such as a TV, Teams room device, or approved business device. If an email or message gives you the code, stop and ask IT.

What An Attacker Can Do After Getting In

Once a Microsoft 365 account is compromised, the damage can spread quickly. Outlook is often the first target because it contains conversations, invoices, password reset emails, customer contact information, and trusted relationships.

• Read email: attackers can search for invoices, payment conversations, password resets, HR documents, contracts, and customer details.
• Send email as the victim: a message from a real employee account is much more convincing than a random fake address.
• Create inbox rules: attackers may hide replies, move warnings to archive, or forward messages to an outside mailbox.
• Access OneDrive and SharePoint: files can include tax records, customer files, quotes, employee data, and internal procedures.
• Use Teams trust: messages from a known coworker can push the same scam deeper into the company.
• Look for financial workflows: compromised email often leads to invoice redirection, gift card scams, payroll changes, or vendor payment fraud.

Immediate Protection Steps For Microsoft 365 Users

These are the steps regular users can follow without needing to understand OAuth or Conditional Access.

1. Never enter a device code from an email or message. If you did not start the sign-in yourself, do not continue.
2. Slow down on Microsoft prompts. Read what app, device, or session is asking for access before approving anything.
3. Report the message instead of deleting it. IT needs the headers, sender, body, links, and timing to investigate properly.
4. Use bookmarks or typed addresses. Do not follow a link from an unexpected email to “verify” Microsoft access.
5. Check signed-in devices. For personal Microsoft accounts, review devices at account.microsoft.com/devices. For work accounts, ask IT to check Entra sign-ins and active sessions.
6. Change passwords only as part of cleanup. A password change is useful, but token theft can require revoking sessions and refresh tokens too.

Important Microsoft 365 Admin Actions

For a business tenant, user training is not enough. The most important fixes are administrative controls that reduce the chance of the attack working in the first place.

1. Audit Device Code Flow Usage First

Before blocking device code flow everywhere, check whether the organization actually uses it. Some legitimate devices and legacy workflows may depend on it. Microsoft recommends using report-only mode and sign-in logs to identify device code flow events before enforcing a block.

2. Block Or Restrict Device Code Flow

Microsoft’s Conditional Access guidance recommends getting as close as possible to a broad block on device code flow. If a business does not need it, block it. If a business does need it, allow only the specific users, devices, locations, and applications that truly require it.

Use report-only mode first, confirm what would be affected, then move the policy to On. Keep break-glass or emergency access accounts excluded so a mistake does not lock out every administrator.

3. Block Authentication Transfer Where It Does Not Belong

Microsoft also documents authentication transfer, which can move an authenticated state from one device to another. That convenience may not be appropriate for every business, especially if Outlook or Microsoft 365 is not allowed on unmanaged personal devices. Blocking authentication transfer for sensitive groups can reduce another path attackers may try to abuse.

4. Move Toward Phishing-Resistant MFA

Push approvals and one-time codes are better than passwords alone, but they can still be abused when a user is tricked into approving the wrong session. For higher-risk accounts, consider phishing-resistant methods such as FIDO2 security keys, passkeys, certificate-based authentication, and strict device compliance rules.

5. Monitor For The Aftermath

If a user may have entered a device code, the cleanup should go beyond resetting the password. Review sign-in logs, revoke sessions, check refresh-token activity, inspect OAuth app consent, review mailbox rules, check forwarding, inspect recently registered devices, and look for unusual email sent from the account.

Small Business Checklist

• Turn on MFA for every Microsoft 365 account, especially owners, managers, bookkeepers, and anyone handling invoices.
• Make sure at least two trusted administrators can access the tenant, with emergency access documented securely.
• Use Conditional Access if your Microsoft 365 licensing supports it.
• Block device code flow unless there is a documented business need.
• Block or restrict authentication transfer where personal-device sign-in is not allowed.
• Train staff that a real Microsoft page can still be part of a scam if the request started from an unexpected message.
• Review mailbox forwarding and inbox rules regularly.
• Require out-of-band verification for payment changes, payroll changes, bank detail changes, and urgent wire requests.
• Keep security logs long enough to investigate suspicious sign-ins after the fact.
• Have a response plan before a mailbox takeover happens.

When To Call The IT Guys

Call for help if someone entered a Microsoft device code from an email, saw an unexpected Microsoft sign-in prompt, noticed strange sent mail, found unknown inbox rules, received customer complaints about odd emails, or saw unfamiliar devices in the account.

For Port Saint Lucie, Jensen Beach, Fort Pierce, and Vero Beach businesses, The IT Guys can help review Microsoft 365 sign-in logs, tighten Conditional Access, check Outlook rules and forwarding, review MFA settings, remove unauthorized sessions, and build a practical response plan that fits the business instead of copying a generic enterprise checklist.

Bottom Line

Kali365 is important because it shows where phishing is going: attackers are not always trying to make fake pages anymore. They are trying to abuse real sign-in workflows and convince users to approve the wrong thing.

The best defense is a mix of user awareness and tenant hardening. Teach people never to enter device codes from messages, then use Microsoft Entra controls to block risky authentication flows before a mistake becomes a full mailbox takeover.

References

• FBI IC3: Kali365 Phishing-as-a-Service Kit Hijacks Microsoft 365 Access Tokens
• Malwarebytes: Kali365 phishing kit bypasses MFA and steals Microsoft logins
• Microsoft Security Blog: Inside an AI-enabled device code phishing campaign
• Microsoft Learn: Conditional Access authentication flows
• Microsoft Learn: Block authentication flows with Conditional Access policy
• CISA: Phishing Guidance – Stopping the Attack Cycle at Phase One
• Cybersecurity Dive: FBI warns about PhaaS platform used to access Microsoft 365 environments
• TechRepublic: FBI warns Kali365 phishing service targets Microsoft 365 accounts

Need help checking your Microsoft 365 tenant for risky sign-in settings or suspicious Outlook activity? The IT Guys can review your setup and help close the gaps before a phishing message turns into a business email compromise.