The FBI's Internet Crime Complaint Center (IC3) issued an alert on May 21, 2026, warning that a phishing-as-a-service (PhaaS) platform named Kali365 is actively targeting Microsoft 365 users. The attack abuses OAuth device-code authentication—a legitimate workflow—to trick victims into granting attackers persistent access to their cloud accounts. Kali365 lowers the barrier for cybercriminals, offering turnkey phishing kits that bypass multi-factor authentication (MFA) without stealing passwords.

This isn't a theoretical threat. The IC3 alert signals a surge in device-code phishing incidents reported to the bureau, many tied directly to Kali365 infrastructure. Microsoft 365 administrators and everyday users on Windows devices are squarely in the crosshairs.

How Device-Code Phishing Hijacks Microsoft 365 Logins

OAuth device-code flow was designed for smart TVs, printers, and IoT gadgets that lack a full browser. A user sees a short alphanumeric code on the device screen, navigates to a Microsoft login page on a separate device, enters the code, and completes authentication. The device then receives an access token—without ever seeing the user's password.

Attackers exploit this by initiating a device-code request themselves on a rogue application. They display the code to the victim, often via a convincing email or fake login prompt, urging the user to visit the legitimate Microsoft device login page and enter the code. Once the user authenticates, the attacker's session receives a token that can read emails, access OneDrive files, send messages, and even pivot to other services—all while appearing as a trusted, MFA-verified device.

Because the login happens on Microsoft's real website and MFA is satisfied, traditional phishing defenses rarely trigger. The victim sees no suspicious URL or credential form. The token often grants refresh capabilities, letting the attacker maintain access indefinitely unless revoked.

Inside Kali365: Phishing-as-a-Service for Microsoft 365

Kali365 exemplifies a maturing criminal economy. The platform abstracts the technical complexity of device-code attacks into a user-friendly dashboard. Subscribers simply configure a campaign, generate a device code, and distribute the phishing lure. The service handles token capture, proxy infrastructure, and even provides post-exploitation tools to exfiltrate data or move laterally within an organization.

Pricing likely follows familiar PhaaS models: monthly subscriptions with tiered features. Less technically skilled actors can now execute high-impact account takeovers that once required deep red-team expertise. The FBI's alert does not detail the platform's origin or specific operators, but the timing coincides with a broader shift toward token-based attacks against cloud platforms.

Microsoft has not publicly commented on Kali365 specifically, but its security teams have long warned about consent phishing and illicit OAuth applications. The device-code vector is a natural evolution, capitalizing on a well-documented weakness: the gap between what users see and what that authentication action truly authorizes.

FBI Alert Details and Immediate Actions

The IC3 alert (issued May 21, 2026) specifically highlights the following indicators and recommendations:

  • Any unsolicited request to visit https://microsoft.com/devicelogin and enter a code should be treated as highly suspicious.
  • Legitimate device-code flows are almost always initiated by a device you physically control (e.g., a new smart TV during setup). You should never receive a code via email, SMS, or chat.
  • Organizations should audit Microsoft 365 sign-in logs for unusual device-code authentications—particularly from unfamiliar IPs, locations, or applications named generically.
  • The FBI urges victims to report incidents to IC3 immediately and to preserve logs for forensic analysis.

The alert also notes that Kali365-related compromises have affected small businesses, enterprises, and government contractors. Attackers often establish persistence by registering their own OAuth applications or adding rogue devices to the user's account, surviving even password changes.

Why Traditional Defenses Fail Against Device-Code Attacks

Even robust MFA enforcement can be bypassed when a user is tricked into completing the legitimate Microsoft login. Security solutions that inspect URLs or email headers miss the attack entirely because the phishing occurs through a genuine Microsoft domain.

Conditional access policies that restrict logins to managed devices or trusted locations offer some protection, but many organizations still allow unmanaged device access for productivity. User education is critical: employees must understand that a device code is a key to their account and should never be shared or entered on behalf of another person.

Microsoft's own guidance recommends the following:

  • Disable device-code flow entirely via Azure AD conditional access if not needed (it's on by default for all tenants).
  • Monitor the Device code flow authentication method in sign-in logs for anomalies.
  • Use the X-MS-TOKEN-STATE header to detect token replay, though device-code attacks don't always involve replay.
  • Enforce phishing-resistant MFA like FIDO2 security keys, which can't be phished via this technique.

Practical Defenses for Microsoft 365 Administrators

Security teams should treat the Kali365 alert as an urgent call to action. Here are concrete steps:

  1. Audit current device-code usage: In the Azure portal, navigate to Azure Active Directory > Sign-in logs. Filter by Authentication requirement = Device code flow. Review for anomalies—short sessions, foreign IPs, or sign-ins followed immediately by app registration.
  2. Block device-code flow where possible: Create a conditional access policy targeting all users, all cloud apps, and grant access only after requiring hybrid Azure AD join or compliant device. Exclude emergency access accounts. This eliminates the vector entirely for managed devices.
  3. Enable risk-based policies: Azure AD Identity Protection can detect unusual sign-in behavior post-authentication. Set policies to force password reset or block access when risk level is high.
  4. Restrict user consent: OAuth attacks often follow device-code compromises. Configure consent settings to disallow user consent for apps from unverified publishers, requiring admin approval for any application permission.
  5. Educate users: Roll out a brief training module explaining what device codes look like, when they appear legitimately, and the rule: "If someone asks you to go to a website and enter a code, stop."
  6. Monitor for rogue OAuth apps: Regularly review Enterprise applications in Azure AD for unusual apps. Attackers often register apps with names like "Microsoft Office" or "SharePoint Online" to blend in.
  7. Revoke tokens aggressively: After a suspected compromise, use the Revoke-AzureADUserAllRefreshToken PowerShell cmdlet to invalidate all sessions, then force re-authentication.

The Bigger Picture: PhaaS and the Token Economy

Kali365 is part of a broader trend where stolen session tokens fetch higher prices than raw credentials on dark markets. A token that passes MFA and grants access to Microsoft 365 can be resold multiple times before expiration. This commoditization fuels demand for tools that harvest tokens directly, bypassing credential-based detection.

For Windows users, the risk extends beyond email: a compromised Microsoft 365 account often grants access to the Windows device itself via OneDrive sync, Edge browser profiles, and even the Microsoft Store. An attacker with token access can deploy malicious configurations, exfiltrate local files, or pivot to on-premises networks through hybrid identity setups.

The FBI's public attribution to Kali365 suggests law enforcement is tracking the platform's infrastructure. Previous joint operations have dismantled PhaaS services like BulletProofLink, but the kit-based model allows new incarnations to emerge rapidly. Defenders must stay ahead by hardening configurations, not just relying on detection.

What Microsoft 365 Users Should Do Right Now

Non-administrators have fewer options but can still protect themselves:

  • Never enter a device code unless you are actively setting up a device you own. If a colleague, support person, or email asks you to do so, report it to IT immediately.
  • Check your account's sign-in activity regularly at account.microsoft.com/security. Look for unfamiliar devices or locations.
  • Remove unauthorized apps from https://myapps.microsoft.com and https://account.microsoft.com/privacy/app-access.
  • Use Microsoft Authenticator with number matching and additional context, which provides more resilience against MFA fatigue and some phishing variants.

Microsoft is expected to release additional guidance or enforcement options for tenants in the coming weeks. In the meantime, the FBI's early warning gives defenders a head start.

The device-code flaw is not a vulnerability but an abuse of a legitimate feature. Until Microsoft introduces tighter controls—such as restricting device-code flow to verified domains or requiring additional user confirmation—the onus remains on organizations to lock down this lesser-known pathway. Kali365's existence proves that attackers are already miles ahead of most tenants' awareness.