The FBI issued an urgent private industry notification on May 21, 2026, warning that a phishing-as-a-service platform named Kali365 is actively targeting Microsoft 365 users by hijacking OAuth tokens through device code authentication abuse—all without ever stealing a password. First observed in the wild in April 2026, Kali365 equips even low-skilled attackers with turnkey kits that bypass multi-factor authentication (MFA) and grant persistent access to corporate email, files, and services.

Unlike traditional credential phishing that relies on fake login pages to harvest usernames and passwords, Kali365 exploits a legitimate Microsoft authentication mechanism designed for input-constrained devices. The result is a stealthier, more resilient attack that leaves organizations blind to intrusions that don't trigger typical failed-login alerts. Law enforcement officials and cybersecurity researchers are urging administrators to re-evaluate their identity security postures immediately.

How Device Code Authentication Works—and Why It's Attractive to Attackers

The OAuth 2.0 device authorization grant, standardized in RFC 8628, enables devices without a browser or rich input capability—think smart TVs, printers, IoT hardware—to sign into user accounts. Instead of typing credentials on the device itself, the user visits a verification URL on a separate computer or phone, enters a short alphanumeric code displayed by the device, and approves the sign-in. Microsoft Entra ID (formerly Azure AD) supports this flow for Microsoft 365, allowing apps to request access tokens after user consent.

From an attacker's perspective, device code phishing is a goldmine. The sign-in process occurs on a legitimate Microsoft-owned domain (login.microsoftonline.com), making it virtually impossible for users to spot a malicious URL. The attacker simply initiates a device code request from their own infrastructure, obtains a real code and verification link, then delivers that code to the victim through social engineering—often via email, chat, or a deceptive website claiming to be an IT support tool. When the unsuspecting user enters the code and grants permission, the attacker's device immediately receives an OAuth access and refresh token, tying the victim's identity to the attacker's session.

"The whole transaction happens on legitimate Microsoft infrastructure," the FBI alert notes. "The user never sees a spoofed login page; they see the genuine Microsoft consent screen. This makes user training far less effective."

Inside the Kali365 Platform

Kali365 operates as a full-service phishing outfit, offering subscribers a web-based dashboard to generate device code lures, manage harvested tokens, and orchestrate follow-on attacks. For a monthly fee—reportedly between $200 and $500 depending on feature tiers—customers gain access to:

  • Automated device code generation against targeted Microsoft 365 tenants.
  • Customizable phishing templates mimicking IT support notifications, printer installation prompts, or collaboration tool invitations.
  • Token management interfaces that automatically refresh expired access tokens using captured refresh tokens, ensuring long-term persistence.
  • Integrated data extraction modules that list emails, search Sharepoint/OneDrive files, and download contact lists directly through Microsoft Graph API calls.
  • Obfuscation techniques that randomize user agent strings and IP addresses to evade anomaly detection.

The platform's own marketing, observed on dark web forums, boasts that victims need only type a short code and click "Accept," with no password required. Some variants even embed the device code into QR codes, lowering the user friction further.

Real-World Attack Flow

A typical Kali365 campaign unfolds in precise stages:
1. The attacker configures Kali365 to initiate a device code request to Microsoft's https://login.microsoftonline.com/common/oauth2/devicecode endpoint, specifying the desired scopes (e.g., Mail.Read, Files.ReadWrite.All, offline_access).
2. The response includes a user_code (e.g., "K9X2M8"), a verification_uri (https://microsoft.com/devicelogin), and an expiration interval (usually 15 minutes).
3. The attacker immediately sends the victim a convincing lure—say, an email pretending to be from IT with the subject "New Printer Setup: Enter This Code to Connect"—containing the user_code and a direct link to the verification page.
4. The victim, believing the request is legitimate, opens the link, enters the code, and sees a standard Microsoft consent screen requesting the permissions the attacker originally set.
5. Upon consent, Microsoft issues an access token and a refresh token to the attacker's device. The attacker's Kali365 dashboard now displays a fully authenticated session, often listed with the victim's user principal name and the granted scopes.
6. Because the attacker holds a refresh token, they can obtain new access tokens indefinitely without further user interaction, as long as the token isn't revoked and the session remains active.

Crucially, the entire attack leaves minimal forensic trace in Azure AD sign-in logs: the sign-in appears as a regular device code flow from the victim's IP address (if the victim uses their own browser) and with the victim's device/browser metadata. Only the initial device code request, which originates from the attacker's infrastructure, might appear anomalous—but many organizations don't monitor for unsolicited device code polling.

Why Traditional Defenses Fail

Kali365 neutralizes several layers of conventional security:
- No password harvesting: Since the attacker never collects a password, password-based threat detection (e.g., impossible travel alerts after a credential compromise) doesn't fire.
- MFA bypass: The user completes any required multi-factor authentication on the legitimate Microsoft site, so the authenticated token is fully MFA-validated. The attacker reuses that already-MFA'd token.
- Legitimate first-party URLs: Phishing awareness that teaches users to check URLs is useless because the verification page is served from microsoft.com.
- Conditional Access blind spots: Many organizations configure Conditional Access to require MFA or compliant devices for browser logins but neglect to apply the same rigor to device code flows, which are often used for service accounts or IoT scenarios.
- Token lifetime persistence: Default Microsoft refresh token lifetimes for managed devices can be up to 90 days, and for applications using the device code flow, refresh tokens remain valid indefinitely unless explicitly revoked or the user changes their password—which they won't, because no password was compromised.

"This is a session hijack via legitimate channels," says a senior threat analyst at a major incident response firm, speaking on condition of anonymity. "Once they have that token, they're effectively an authorized app with user consent. They can read mail, download SharePoint libraries, and send messages—all through Graph API calls that blend in with normal application traffic."

FBI Recommendations and Immediate Actions

The FBI alert provides concrete steps for organizations to detect and disrupt device code phishing:

  • Disable device code flow if not in use: Microsoft 365 tenants can block the device code grant entirely via authentication methods policies in Entra ID. For most enterprises that don't deploy IoT devices or headless systems, this completely neutralizes the attack vector.
  • Restrict device code flow to specific users or groups: If disabling isn't feasible, use Conditional Access to allow device code sign-ins only for a designated group of service accounts, and block it for all human users.
  • Monitor Sign-in Logs for anomalous device code activity: Look for events where the application ID corresponds to "Microsoft Office" or similar and the grant type is "device_code". Flag any device code polling that occurs without a prior legitimate request from a known device.
  • Educate users about the specific tactic: Train employees to treat unsolicited requests to enter a code at microsoft.com/devicelogin with extreme suspicion, especially when the request originates from an unexpected email, chat message, or phone call.
  • Reduce refresh token lifetimes: Consider setting short-lived refresh token policies for untrusted locations or devices, and implement sign-in frequency controls via Conditional Access to force periodic re-authentication.
  • Enable Continuous Access Evaluation (CAE): CAE allows near real-time enforcement of user risk state changes, so if an attacker's token is detected as anomalous, access can be blocked immediately without waiting for token expiry.
  • Block legacy authentication and limit permissions: Require modern authentication for all clients, and restrict the ability for users to consent to high-privilege permissions on their own—administrator approval workflows for the most sensitive Graph scopes can limit damage.

Microsoft's Built-In Safeguards and Limitations

Microsoft provides several native protections that can mitigate device code risks, though none are fully effective on their own against Kali365:
- The device code expires after 15 minutes, and the user must act within that window. Attackers automate the process to keep generating new codes until the victim falls for the ruse.
- The verification page shows the name of the requesting application. Kali365 lures typically name the application something innocuous like "Printer Registration" or "Wi-Fi Setup" and register it in their own tenant, so the displayed name is controlled by the attacker.
- Microsoft's security defaults block the device code flow for users who haven't set up MFA, but they are often disabled in enterprise tenants that require custom policies.
- Azure AD Identity Protection's "unfamiliar sign-in properties" detection might flag a device code sign-in from a previously unseen browser or location, but since the user appears in their usual region, it rarely triggers.

Security researchers have long warned that the device code flow is a soft underbelly of OAuth. A 2024 research paper from the SANS Institute demonstrated that targeted device code phishing had a 37% success rate in simulated phishing tests, far higher than traditional credential harvesting.

The Broader Phishing-as-a-Service Economy

Kali365 is just the latest entrant in a crowded and maturing PhaaS market. Platforms like EvilProxy, Greatness, and Dadsec have already commodified adversary-in-the-middle (AiTM) attacks, using reverse proxies to steal session cookies. Device code phishing represents an evolution: it eliminates the need for proxy infrastructure entirely by leveraging the OAuth flow directly, making it cheaper to operate and harder to block via network-layer defenses.

Microsoft's Digital Crimes Unit has been tracking a marked uptick in device code abuse since late 2025. The company updated its identity threat detection rules in March 2026 to better detect suspicious device code polling rates and anomalous consent patterns, but the Kali365 platform specifically randomizes polling intervals to blend in with legitimate clients.

The commercialization of such techniques means that even unsophisticated cybercriminals can now launch attacks that previously required deep knowledge of OAuth and cloud identity. "You can rent a full Kali365 setup from a Russian-language darknet market for a few hundred dollars," the FBI alert states. "Customer support includes video tutorials and 24/7 chat assistance."

What Windows and Microsoft 365 Users Should Do Now

For individual Windows users and small businesses that rely on Microsoft 365:
- Never enter a verification code at microsoft.com/devicelogin unless you have just initiated a specific device setup yourself and the request matches your activity.
- Scrutinize any email or message that asks you to go to a URL and type a code, even if the URL looks legitimate.
- Review the permissions an application is requesting on the consent screen before clicking "Accept." Ask yourself: does this printer really need to read my email?
- If you suspect you may have fallen victim, immediately revoke application permissions in your Microsoft account security settings and change your password (which will invalidate refresh tokens). Report the incident to your IT department or Microsoft support.

For enterprise administrators:
- Audit your Entra ID tenant for active device code grants. The following Microsoft Graph query returns recent device code sign-ins: GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=authenticationProtocol eq 'deviceCode'
- Consider disabling the device code flow entirely via PowerShell: Set-MgPolicyAuthorizationPolicy -BlockDeviceCodeFlow $true (requires the Policy.ReadWrite.Authorization permission).
- If disallowing is impossible, implement a custom Conditional Access policy with a "device code flow" grant control that blocks all application consent scopes beyond the minimal required for your use case.
- Deploy a security information and event management (SIEM) alert for any sign-in where the "grant_type" is "device_code" and the user agent string doesn't match a known corporate IoT initiative.

Looking Ahead

The emergence of Kali365 underscores a critical shift in identity attacks: as password-based defenses improve and MFA becomes ubiquitous, adversaries are pivoting to token theft and session hijacking techniques that subvert the entire authentication chain. Microsoft, the FBI, and the broader cybersecurity community are racing to adapt, but the onus is squarely on organizations to implement phishing-resistant authentication methods like FIDO2 security keys and certificate-based authentication for high-value accounts.

Device code phishing will likely become more sophisticated. Artificial intelligence could craft hyper-personalized lures that reference real internal IT equipment or recent tickets. QR code-based attacks—already popularized by QRLJacking—may integrate with Kali365 to target hybrid workers who frequently interact with multi-function printers. And as more cloud services adopt OAuth 2.0, the attack surface will expand.

The FBI warns that Kali365 operators are also exploring cross-platform attacks against Google Workspace and other identity providers that support device code authentication. The advisory urges system administrators not to wait for a formal update from Microsoft but to proactively harden their environments now.

The message is clear: in a world where a short alphanumeric code typed into a legitimate website can be enough to hand over the keys to your kingdom, trusting any unsolicited code request is a risk no organization can afford.