The FBI issued an urgent warning on May 21, 2026, about a phishing-as-a-service platform called Kali365 that is actively hijacking Microsoft 365 accounts by abusing the legitimate OAuth device-code flow. Promoted openly on Telegram, Kali365 provides cybercriminals with a turnkey toolkit to conduct what security researchers call device-code phishing—a stealthy attack that sidesteps multi-factor authentication (MFA) and conventional detection methods. The alert underscores a dangerous evolution in identity-based attacks, where threat actors no longer need to steal passwords or spin up convincing login pages; they simply trick users into authorizing a device, granting persistent access to emails, files, and other cloud resources.
The core of the threat lies in how Microsoft’s device-code flow works. Designed for devices like smart TVs or IoT hardware that lack a browser, the flow lets a user authenticate on a separate device by entering a short code at https://microsoft.com/devicelogin. Once entered and approved, the original device receives an OAuth access token and a refresh token, often with broad permissions. Kali365 abuses this by posing as a legitimate service—such as a collaboration tool or a required security scanner—and instructing victims to visit that legitimate Microsoft URL and enter the provided code. The victim sees the familiar Microsoft login page, enters credentials, and may complete MFA. After approval, the attacker’s application silently receives long-lived tokens that can be used to access data, send emails, or move laterally within the organization.
For Windows-centric enterprises, the risk is amplified. A compromised Microsoft 365 account is often the gateway to the broader Microsoft ecosystem—Exchange Online, SharePoint, Teams, and even Azure resources. Attackers can use the stolen tokens to maintain persistence, exfiltrate sensitive data, or launch business email compromise (BEC) attacks from a trusted account. Because the entire interaction happens on legitimate Microsoft infrastructure, traditional phishing defenses like URL filtering and domain reputation checks are useless. The FBI’s alert highlights that Kali365 campaigns have been observed targeting small businesses, financial services, and healthcare organizations, but any Microsoft 365 tenant is a potential victim.
The commercial model of Kali365—sold as a subscription on Telegram for as little as $200 per month—exemplifies the industrialization of cybercrime. The platform automates the device-code generation, token capture, and even includes management dashboards for tracking compromised accounts. This low barrier to entry means that even unsophisticated criminals can launch highly effective attacks. Telegram’s encrypted channels and bot infrastructure make it difficult for law enforcement to disrupt, as takedown requests often lead to new channels appearing within hours.
Defending against device-code phishing requires a mix of technical controls and user education. The FBI and Microsoft recommend several immediate actions: disable the device-code flow entirely where not needed—many organizations can do this via Conditional Access policies since their users never authenticate this way. If the flow must remain enabled, restrict it to trusted devices or networks, and monitor for suspicious device-code sign-in attempts. Microsoft 365 logs will show device-code events; security teams should look for anomalies like a single user completing multiple device-code authentications in quick succession or from unexpected locations. Additionally, enforce the principle of least privilege on all enterprise applications consented to during the process, and review existing OAuth grants regularly.
User education must now go beyond the mantra of “don’t click suspicious links.” Employees need to understand that entering a code from an unsolicited message into microsoft.com/devicelogin can be just as dangerous as handing over their password. Organizations should drill a simple rule: never enter a device code unless you personally initiated the authentication, and never at the request of an email, chat message, or phone call. The FBI’s alert includes specific indicators to share with end users, such as unexpected MFA prompts immediately after entering a code, or being asked to approve a sign-in from an unrecognized device during the flow.
Windows users can also leverage platform-specific defenses. Newer Windows 11 security features, including phishing-resistant credentials like Windows Hello and FIDO2 security keys, can reduce the risk of token theft because they rely on cryptographic binding rather than replayable tokens. Microsoft Defender for Office 365 offers advanced threat protection for suspicious links and attachment, but because device-code phishing often bypasses email scanning (the malicious link is a legitimate Microsoft URL), organizations should integrate Defender for Cloud Apps to detect anomalous OAuth consent grants. Conditional Access policies remain the most powerful lever: by requiring device compliance, trusted locations, or strong authentication methods for all sign-ins, most device-code attacks can be blocked before they start.
For its part, Microsoft has acknowledged the growing abuse of the device-code flow and is exploring additional safeguards. At the 2025 Microsoft Ignite conference, the company previewed a feature that would tie device-code authentication more tightly to device identity, making tokens harder to replay from an attacker’s infrastructure. In the near term, however, the responsibility falls on administrators to harden their environments. The FBI advisory notes that while Microsoft’s security roadmap includes improvements, the current attack surface will persist until tenants actively reconfigure their defaults. The window for action is now.
The Kali365 alert is a stark reminder that the authentication landscape has shifted. Passwords, once the prime target, are giving way to token-based attacks that are harder to detect and remediate. For Windows administrators, the message is clear: assume that any user might be targeted, and build defenses that assume compromise. Treat device-code sign-ins with the same scrutiny as suspicious logins, and reduce the blast radius of a stolen token by limiting the permissions of OAuth applications. The FBI’s warning is not just about a single phishing kit; it’s about a fundamental weakness in how we authenticate on shared devices, and it demands a fundamental response.