The FBI on May 21, 2026, warned that a phishing-as-a-service platform dubbed Kali365 is being used to compromise Microsoft 365 business accounts by abusing the OAuth device code authentication flow. Distributed primarily through Telegram channels, Kali365 lowers the barrier for cybercriminals to run sophisticated token-theft campaigns that sidestep multi-factor authentication (MFA) and give attackers persistent access to corporate data. The alert, issued via the Internet Crime Complaint Center (IC3), marks one of the sharpest escalations in device code phishing threats seen by federal authorities, as the technique exploits a fundamental trust mechanism in Microsoft’s identity platform.

Unlike traditional phishing that harvests passwords, device code phishing tricks users into completing a legitimate login themselves—then hands the resulting access token directly to the attacker. Because the victim authenticates with their real credentials and satisfies any MFA challenge, the session appears completely normal to Microsoft’s security systems. From that point, the attacker wields the token to read emails, access SharePoint files, send Teams messages, and even register new applications for long-term persistence. The FBI alert underscores how this breed of attack has moved from theoretical research to commoditized crimeware.

How Device Code Phishing Works

OAuth device code flow was designed for devices that lack a browser or have limited input capabilities: smart TVs, IoT appliances, command-line tools, and older office printers. The flow presents a user with a short alphanumeric code and a URL (such as https://microsoft.com/devicelogin). The user opens a browser on a separate device, signs into their Microsoft account, and enters the code. Once completed, the original device receives an access token—and often a refresh token—without ever seeing the user’s credentials.

Attackers hijack this mechanism by initiating a genuine device code request through the Entra ID authorization endpoint. They then relay the code and login URL to their target via a phishing email, SMS, or a fake IT support message. The victim, believing they are performing a routine activation, logs in and authorizes the request. Because the login happens on Microsoft’s own domain and passes any MFA checks, the user rarely suspects foul play. The attacker’s script captures the token and immediately uses it to access the victim’s Microsoft 365 resources with the same privileges as the victim.

The power of the stolen token is profound: it bypasses both password and MFA requirements, can survive password changes, and—if a refresh token is included—grants indefinite access until the token is explicitly revoked. Security researchers have demonstrated that token replay attacks can be automated in seconds, allowing threat actors to exfiltrate vast amounts of corporate data or stage further attacks from within the compromised identity.

Kali365: PhaaS for the Masses

Kali365 represents the industrialization of device code phishing. According to the FBI, the platform is sold as a subscription service on private Telegram groups, with pricing tiers that put it within reach of low-sophistication criminals. The service includes pre-built phishing templates, automated token capture relays, and step-by-step tutorials—including scripts that generate realistic-looking IT support emails. Buyers need only supply a list of target email addresses and a Telegram chatbot API key to launch a campaign.

Once a victim falls for the scam, the Kali365 control panel displays active tokens, associated user identities, and the scope of access granted. The attacker can then browse the victim’s mail, download OneDrive documents, or pivot to other services. Critically, the platform also supports staging of secondary phishing attacks: using the compromised account to send the same device code lure to the victim’s contacts, amplifying the breach across an organization.

The FBI’s alert (PSA I-052126-PSA) warns that Kali365 campaigns have targeted enterprises, government contractors, and educational institutions. The service’s Telegram-based distribution makes takedowns difficult and allows rapid version updates to evade detection. By leveraging Microsoft’s own authentication infrastructure, the phishing pages never raise security warnings in the browser, and the entire transaction appears in Entra ID sign-in logs as a legitimate login from the victim’s IP address and device.

Why Microsoft 365 Is a Prime Target

Microsoft 365’s dominance in the enterprise makes its OAuth ecosystem a magnet for token theft. A single compromised token can unlock Exchange Online, SharePoint, Teams, Power Platform, and any third-party application to which the user has consented. Attackers can also use the token to register new Entra ID applications with the same permissions, creating hard-to-detect backdoors that survive even after the original password is changed.

Device code phishing is especially effective against organizations that have not restricted the device code flow. By default, Entra ID allows device code authentication for all users unless explicitly blocked by Conditional Access or authentication method policies. Many security teams focus on password and MFA strength but overlook the device code grant, leaving a wide-open door for token theft. The FBI notification notes that most victims had fully enabled MFA—the stolen tokens simply bypassed it.

Moreover, the attack is inherently multi-tenant. Because the authentication happens on Microsoft’s common endpoint (login.microsoftonline.com), the phishing kit works against any Entra ID tenant, regardless of custom branding or third-party identity providers. Attackers do not need to set up look-alike domains or fake login pages; they direct victims to the real Microsoft site, making the scam far harder to spot.

FBI Indicators and Recommendations

The IC3 alert lists several indicators of compromise (IOCs) specific to Kali365 activity:

  • Sign-in logs showing device code authentication (granthopper = device_code) from locations or devices atypical for the user.
  • User-agent strings commonly associated with command-line tools (python-requests, curl, Azure-CLI, PowerShell) in otherwise routine Office sessions.
  • Anomalous application registrations made shortly after a device code sign-in, often named with generic terms like “TestApp” or “OutlookPlugin.”
  • Email forwarding rules or mailbox delegation changes set through Exchange Online PowerShell within minutes of the phishing event.

The FBI recommends that organizations immediately review Entra ID sign-in records for device code events and disable any unfamiliar registered applications. It also urges administrators to check for inbox rules that forward mail externally and to revoke refresh tokens for any user that exhibits such indicators.

On the preventive side, the advisory echoes long-standing Microsoft guidance: block the device code flow for all accounts that do not legitimately need it. This can be achieved through a Conditional Access policy that targets the authentication grant and limits it to specific trusted locations or device groups.

Defending with Entra ID Conditional Access

The most effective mitigation is a Conditional Access policy that blocks the device code authentication grant entirely—or limits it to a tightly controlled set of service accounts. The policy targets the “Require grant controls” condition in Entra ID and selects the “Block” grant control for the device code grant type. Organizations that must retain the flow for legacy line-of-business applications can scope the policy to “All users” except a dedicated exception group.

Microsoft’s documentation provides a step-by-step template:

  1. In the Entra admin center, create a new Conditional Access policy.
  2. Under Assignments > Users, select All users.
  3. Under Cloud apps or actions, choose All cloud apps.
  4. Under Conditions > Authentication flows, set Device code flow to Yes.
  5. Under Grant, select Block access.
  6. Enable the policy in report-only mode initially, then toggle to On after verifying no legitimate usage is interrupted.

This policy stops the attack cold: even if a user is tricked into entering a device code, the token is never issued because the authentication grant is denied. For organizations that cannot block outright, a weaker but still valuable control is to require a compliant device or a specific network location for device code logins.

Beyond Conditional Access, threat hunters should monitor the DeviceCodeAuth sign-in event in Entra ID logs. Creating an alert that triggers when a user completes a device code login followed by an application registration within a short time window can detect Kali365-style activity early. Microsoft Sentinel and Defender for Cloud Apps provide out-of-the-box detection rules that flag anomalous OAuth token usage, including suspicious inbox rule creation or mass file downloads.

Beyond the Alert: What Organizations Must Do

While the FBI warning spotlights Kali365, the underlying vulnerability is architectural. Any OAuth 2.0 authorization server that supports the device code flow—not just Microsoft—faces the same risk. Security leaders should treat device code phishing as a board-level risk and incorporate it into their incident response playbooks. The following steps go beyond the immediate technical controls:

  • User education: Phishing simulations should include device code lures. Train employees that no legitimate IT department will ever ask them to go to a device login page and enter a code from an email. The microsoft.com/devicelogin page itself displays a warning that codes should only be entered if the device they are using prompted them—not because someone sent the code.
  • Application governance: Enforce strict application consent policies. Block user consent for unverified publishers and require admin approval for all new app registrations. This prevents attackers from implanting persistent backdoors.
  • Token hygiene: Implement a routine process to revoke all refresh tokens for users after a suspected compromise. Entra ID’s “Revoke sessions” button in the user profile forces re-authentication and invalidates stolen tokens.
  • Hunt for existing breaches: Search historical sign-in logs for device code patterns. Kali365 has been active since at least early 2026, and earlier undetected compromises may have already occurred.

Microsoft has acknowledged the device code phishing vector in its own security guidance and continues to invest in machine learning models that detect anomalous token usage. However, the company notes that the best defense remains administrative policy, because the authentication itself is genuine and cannot be intercepted by traditional anti-phishing scanners.

A New Era of Token-Based Attacks

The emergence of Kali365 underscores a paradigm shift in phishing. Instead of stealing credentials, attackers now steal authenticated sessions. This evolution erodes the protective value of MFA and forces defenders to think in terms of token lifespan and conditional access rather than just password complexity. The FBI’s decision to issue a public service announcement indicates the scale of the threat and the need for collective action.

As long as OAuth device code flow remains enabled by default in Entra ID, millions of tenants are exposed. The message from the FBI is unambiguous: review your sign-in logs today, block the device code grant unless it is essential, and treat any request to enter a code at microsoft.com/devicelogin with extreme suspicion. In the hands of Kali365 subscribers, a six-character code can be the key that unlocks your entire Microsoft 365 estate.