The FBI issued a warning in May 2026 about a new phishing-as-a-service platform called Kali365 that hijacks Microsoft 365 accounts without a single fake login page. The platform, first spotted in April 2026, abuses Microsoft’s device code authentication flow to trick users into granting attackers access to their accounts — no password theft required. Distributed primarily through Telegram, Kali365 marks a dangerous evolution in phishing that sidesteps multi-factor authentication (MFA) entirely.
Traditional phishing lures victims to counterfeit login portals. Device code phishing flips the script. It exploits a legitimate OAuth flow designed for input-constrained devices like smart TVs and IoT gadgets. Instead of stealing credentials, attackers generate a real device code from Microsoft’s servers and trick the victim into entering it at the standard Microsoft login page. Once the user authenticates — and approves any MFA prompts — the attacker receives a token granting full access to the account. The victim sees a seemingly normal sign-in, with no indication anything is amiss.
The technique isn’t new. Microsoft warned about device code phishing in 2023, and incidents have surged ever since. What sets Kali365 apart is its packaging as a turnkey service. For a fee, even low-skilled threat actors can launch sophisticated campaigns. The platform automates code generation, delivers convincing lures via email or messaging apps, and harvests access tokens. Telegram serves as the main storefront, where criminals can purchase subscriptions, watch tutorials, and share tips.
The FBI’s Private Industry Notification details how Kali365 campaigns typically begin with a social engineering lure. A target receives an email or Teams message containing a link to a supposed file shared via Microsoft 365. Clicking the link does not lead to a fake login page. Instead, it opens a page with a device code and instructions: “To view the document, go to https://microsoft.com/devicelogin and enter this code.” Because the URL is legitimate, users feel safe following the steps.
Unbeknownst to them, the code was generated by the attacker using the Kali365 backend. When the victim enters it at the official Microsoft site, they authenticate normally — including any MFA challenge. Behind the scenes, the attacker’s automated system immediately redeems the authorization code for a refresh token. From that moment, the threat actor has persistent access to the victim’s Microsoft 365 environment: email, OneDrive files, Teams conversations, and any connected applications.
The FBI alert emphasizes that the attack bypasses many standard security controls. Since there’s no malicious attachment or URL leading to a phishing site, Secure Email Gateways and Safe Links often miss it. The device code flow is HTTP‑based and token‑bound, making it invisible to traditional phishing detections that rely on credential harvesting patterns. MFA alone does not stop the attack because the user legitimately completes the MFA step; the attacker simply piggybacks on the session.
Kali365 also supports advanced tactics such as targeting specific user roles, automating follow‑up phishing messages from compromised accounts, and exfiltrating sensitive data in batches. One campaign observed by the FBI involved compromising a C‑suite executive’s account and then sending invoice‑themed messages to the finance department, leading to a $2.3 million business email compromise (BEC) loss.
The platform’s rapid growth highlights the industrialization of cybercrime. According to the FBI, Kali365 operators offer tiered pricing: a basic plan for $200 per week, an advanced plan with custom templates for $500 per week, and a “vip” tier with priority support for $1,000. Payments are accepted in cryptocurrency. Affiliates receive detailed guides on how to craft effective lures, select high‑value targets, and evade detection.
For defenders, the primary countermeasure is Conditional Access in Microsoft Entra. The FBI bulletin urges organizations to implement a policy that blocks device code authentication entirely — or at least restricts it to specific, trusted devices and network locations. Microsoft provides a template: “Block device code flow” can be enabled via the Entra admin center under Conditional Access > Grant controls > Require a compliant or hybrid‑joined device.
A more nuanced approach is to use authentication strengths and session controls. For example, an organization might allow device code flow only when accompanied by phishing‑resistant MFA methods like FIDO2 security keys. Additionally, enabling Continuous Access Evaluation (CAE) can revoke tokens in real time if a user’s risk level increases after initial authentication.
The FBI also recommends user education customized to this threat. Standard phishing awareness training often focuses on spotting fake URLs and checking email headers. Device code phishing requires a different script: instruct users never to enter a code from an unsolicited message, no matter how official the site looks. If they didn’t initiate the request, they shouldn’t type the code. Security teams can also create intranet banners warning about the specific attack pattern.
Monitoring is equally critical. Signs of compromise include unusual device code authentication events in the Microsoft Entra sign‑in logs. Specifically, look for login events where the “Authentication method” is “Device Code Flow” and the “Application” is “Microsoft Office,” combined with a previously unseen IP or location. Security information and event management (SIEM) rules can be built to alert on such anomalies. Similarly, any spike in device code requests from a single IP or user warrants immediate investigation.
Microsoft has responded to the uptick in device code attacks with new security defaults. In late 2025, the company began rolling out a change: device code flow will be blocked for accounts that have MFA enabled, unless the tenant explicitly opts in. This shift, while not a silver bullet, reduces the attack surface significantly. The FBI bulletin references this change and notes that tenants created before the rollout may still be vulnerable if administrators haven’t reviewed their settings.
Despite these defenses, Kali365 and its ilk continue to succeed because of human psychology. The lure often leverages urgency or authority — a message from the CEO, an overdue invoice, or an HR document that must be signed immediately. Because the login process is genuine, the victim’s guard is lowered. The attack exploits trust in Microsoft’s own infrastructure.
In one high‑profile incident, a Midwestern hospital saw its entire patient records system compromised through a device code phish targeting a nurse with access to the electronic health record (EHR) system. The attacker’s access token allowed them to pivot to the EHR app and exfiltrate 45,000 patient records before the breach was detected three days later. The FBI cites this case as a wake‑up call for healthcare and other critical infrastructure sectors.
Looking ahead, experts expect device code phishing to multiply. The low barrier to entry — thanks to platforms like Kali365 — combined with high success rates makes it an attractive method for everything from espionage to ransomware delivery. The FBI warns that nation‑state groups have already adopted the technique, with one Chinese‑affiliated threat actor, referred to as “Storm‑2077,” using device code phishing in attacks against U.S. think tanks and academic institutions.
To stay ahead, organizations must adopt a defense‑in‑depth posture. Start with Conditional Access policies that minimize or eliminate the device code flow for the entire tenant. If the flow cannot be disabled due to operational needs, isolate it to a small group of users and enforce strict authentication strength requirements. Invest in user training that specifically covers device code attacks, using real‑world examples and regular simulated exercises.
Incident response playbooks should include a scenario for token theft via device code. Since the attacker holds a refresh token, simply resetting the password is not enough. Admins must revoke all access tokens via the Microsoft Entra admin center, force password resets, and check for persistence mechanisms like additional MFA methods or inbox rules. The FBI bulletin provides a checklist: (1) Identify compromised accounts via sign‑in logs. (2) Revoke sessions and refresh tokens. (3) Inspect for malicious OAuth applications or forwarding rules. (4) Notify stakeholders and, if required, report to law enforcement.
The FBI encourages victims to file a complaint with the Internet Crime Complaint Center (IC3) at https://www.ic3.gov. Timely reporting aids in tracking the threat actors and sharing indicators of compromise (IOCs) across the community. The bulletin also calls for organizations to join information sharing groups such as the InfraGard or the MS‑ISAC to receive real‑time threat intelligence.
Kali365’s emergence underscores a harsh reality: threat actors are innovating faster than many defenders. The shift from credential harvesting to token theft marks a paradigm change in phishing. By weaponizing a built‑in authentication mechanism, attackers are essentially using Microsoft’s own infrastructure as their phishing toolkit. The solution isn’t a single product but a combination of technical controls, user awareness, and rapid response.
As of June 2026, Microsoft Entra telemetry indicates that device code phishing attempts have increased by 340% year‑over‑year. The company has responded by expanding the availability of its “authentication strengths” feature, which allows admins to require phishing‑resistant methods for specific flows. Additionally, the Microsoft Security blog has published detection guidance focusing on anomalies in the device_registration and authentication_details fields in sign‑in logs.
Organizations that haven’t reviewed their Entra Conditional Access settings should prioritize doing so immediately. The FBI recommends that all Microsoft 365 tenants take three immediate actions: (1) Audit device code usage by running a query in the Entra portal. (2) Implement a Conditional Access policy to block device code flow unless essential. (3) Deploy a communication campaign to educate employees about this specific threat. These steps can dramatically reduce risk and signal to leadership that cybersecurity is a proactive investment, not an afterthought.
Kali365 is unlikely to be the last platform of its kind. The model of phishing‑as‑a‑service democratizes sophisticated attacks, making them accessible to anyone with a crypto wallet and a motive. Defenders must adapt quickly, leveraging both Microsoft’s evolving security controls and a culture of vigilance that treats every unsolicited code request as hostile.