Kali365 OAuth Phishing Bypasses MFA via Microsoft Device Code Flow

The FBI’s Internet Crime Complaint Center warned in May 2026 that Kali365, a phishing-as-a-service platform first seen in April, is targeting Microsoft 365 users by abusing OAuth device-code authentication to capture access tokens and bypass multifactor authentication without stealing passwords. The warning matters because the attack does not ask victims to type credentials into a fake login page. It asks them to do something more dangerous: complete a real Microsoft sign-in flow for an attacker’s device. That turns a familiar anti-phishing lesson—“check the URL”—into insufficient advice.

The Phishing Page Is Gone, and That Is the Point​

For years, the average Microsoft 365 phishing story had a reliable shape. A victim received a fake SharePoint notice, clicked a link, landed on a counterfeit Microsoft login page, and handed over a password. Defenders could train users to spot odd domains, block lookalike sites, and lean on multifactor authentication as the seat belt that caught failures.
Kali365 attacks are more unnerving because they remove much of that visible fakery. The victim is typically directed to a legitimate Microsoft verification page and told to enter a device code. The page is real, the Microsoft branding is real, and the authentication process behaves as designed.
That is not a bypass in the Hollywood sense of breaking Microsoft’s encryption or cracking a password database. It is an abuse of trust choreography. The attacker initiates a device authorization flow, persuades the user to complete it, and receives tokens that can open the victim’s Microsoft 365 world.
This is why the FBI warning deserves more attention than the usual “new phishing scam” headline. Kali365 is not merely another kit in the spammer toolbox. It is a reminder that modern identity systems are now so complex that the weak point is often not the password, but the user’s understanding of what they are authorizing.

OAuth Turns Consent Into the Prize​

OAuth is one of those technologies most users encounter constantly and almost never think about. It is the plumbing behind “sign in with Microsoft,” cloud app integrations, mobile app sessions, and delegated access to mail, files, calendars, and other resources. In ordinary use, it reduces password exposure by letting an app receive a token rather than the user’s raw password.
That architecture is useful precisely because tokens are powerful. A token can tell a service, in effect, that authentication has happened and that access has been granted. Depending on the token, the app, the tenant controls, and the permissions involved, that can be enough to read mail, access files, maintain sessions, and move quietly through cloud services.
Device-code authentication was built for constrained devices: televisions, conference-room systems, printers, command-line tools, and hardware that cannot comfortably display a full browser login. One device shows a code; the user enters that code on another device where signing in is easier. The security model assumes the user understands which device is being authorized.
Kali365 weaponizes the gap between that assumption and workplace reality. If a phishing email says a document, Teams notice, or cloud workflow requires entering a code, many users will treat the code like a one-time password. In fact, they may be authorizing the attacker’s session.

MFA Was Never a Magic Spell​

The most dangerous sentence in the Kali365 story is also the most easily misunderstood: attackers can bypass multifactor authentication. That does not mean MFA is useless. It means MFA can be satisfied by the victim during a legitimate sign-in flow and still result in the wrong party getting the benefit.
This distinction matters for defenders because it changes the model from credential theft to authorization abuse. In a classic phishing case, MFA may block the attacker after a stolen password is used from a new device. In device-code phishing, the victim is tricked into completing the very flow that grants the attacker’s device access.
That is why the attack can feel so unfair to ordinary users. They did not ignore MFA. They may have completed it exactly as trained. The problem is that the context of the prompt was poisoned before Microsoft’s authentication stack ever got involved.
Security teams have spent the past decade telling organizations to adopt MFA, and that advice remains correct. But Kali365 exposes the weakness of treating MFA as the finish line. Authentication proves that a user participated; it does not automatically prove that the user understood the transaction.

Phishing-as-a-Service Makes the Weird Attack Routine​

The FBI’s warning describes Kali365 as a phishing-as-a-service platform distributed through Telegram, with features that reportedly include AI-generated lures, automated campaign templates, real-time tracking dashboards, and OAuth token capture. That description is important because it shows how a once-specialized technique becomes mass-market crime.
The underground economy has learned the same lesson as legitimate software vendors: package complexity behind a subscription interface and adoption rises. A low-skilled operator no longer needs to build infrastructure, understand OAuth deeply, or write polished lures from scratch. The platform turns identity abuse into a workflow.
That is the real escalation. Device-code phishing is not brand new, and Microsoft 365 token theft has been a growing concern for years. What Kali365 represents is operational convenience. It takes a technique that requires timing, social engineering, and identity knowledge, then productizes it for a broader criminal customer base.
The reported pricing—hundreds of dollars per month rather than nation-state budgets—also tells the story. If a kit can compromise even a handful of mailboxes at a small company, the attacker may gain invoice data, internal documents, contact lists, and enough trust to launch business email compromise. The return on investment does not require a spectacular breach.

The Attack Looks Mundane Until It Is Too Late​

The typical Kali365-style attack is short, plausible, and corrosively ordinary. A user receives an email impersonating a cloud provider, collaboration tool, or document-sharing service. The message contains a device code and instructions to visit Microsoft’s verification page.
From the user’s perspective, the safety signals are confusing. The site is Microsoft’s. The code is short-lived and official-looking. The request may be wrapped in familiar workplace language: review this file, approve this Teams access, reconnect your session, open this shared document.
The moment the user enters the code and completes the required authentication, the attacker’s device is authorized. The attacker does not need the password. Depending on the token and tenant configuration, the attacker may gain persistent access to Outlook, Teams, OneDrive, SharePoint, and other services connected through Microsoft 365 identity.
The elegance of the scheme is also its defense problem. There may be no malicious attachment, no obviously fake Microsoft domain, and no password submitted to a counterfeit form. The most suspicious artifact is the business process itself: an unsolicited request to enter a device code.

Outlook Is the Beachhead, Not Just a Mailbox​

Consumer coverage often frames the risk as someone “getting into your Outlook.” For enterprise defenders, Outlook is only the starting point. A compromised mailbox is a map of the organization: invoices, vendors, internal jargon, calendar patterns, executives, HR workflows, legal discussions, and password-reset trails.
Once inside, attackers can search old mail for sensitive files, identify trusted relationships, and launch follow-on phishing from a real account. That second wave is often more convincing than the first because it comes from a known colleague or supplier. In many breaches, the first stolen mailbox is less valuable for its contents than for the legitimacy it lends to the next message.
Teams and OneDrive raise the stakes further. Teams chats may contain operational detail never meant for email retention. OneDrive and SharePoint can hold contracts, spreadsheets, customer exports, engineering documents, and credentials accidentally saved in plain sight. Microsoft 365 is not one app; it is the nervous system of many organizations.
That is why token theft is so damaging. A password reset alone may not be enough if active sessions and refresh tokens remain valid. Incident responders must think in terms of session revocation, consent review, suspicious app access, mailbox rules, forwarding settings, and lateral movement.

Microsoft’s Legitimate Convenience Became an Enterprise Liability​

It would be easy, and wrong, to say Microsoft simply created a bad feature. Device-code flow exists for real scenarios. Conference-room devices, shared Teams hardware, command-line tools, and other limited-input environments need practical ways to authenticate without forcing users through impossible interfaces.
But enterprise security is full of features that make sense in isolation and become dangerous at scale. The problem is not that device-code flow exists. The problem is that many tenants historically treated it as background plumbing rather than a high-risk authentication path that deserves explicit governance.
Microsoft’s own guidance now pushes organizations toward blocking device-code flow wherever possible, usually through Conditional Access. That recommendation is revealing. It means the safest default for most organizations is not “train users harder,” but “reduce the number of times this flow can succeed.”
The hard part is exceptions. Teams Rooms, shared devices, developers using command-line tools, and some provisioning workflows may depend on device-code authentication. Turning it off without inventory can break legitimate operations. Leaving it open everywhere turns a niche convenience into a tenant-wide phishing surface.

The Admin Fix Is Simple Until It Meets Reality​

The cleanest administrative response is to restrict or block device-code flow using Microsoft Entra Conditional Access policies. In a mature tenant, admins can place the policy in report-only mode, review sign-in logs, identify legitimate use cases, scope exceptions tightly, and then move enforcement to blocking mode. That is the theory.
In reality, many organizations still do not know where device-code flow is used. A Teams room may rely on it during registration. A service desk process may depend on it for reprovisioning. A developer tool may use it because it is easier than browser-based authentication in a terminal session.
That uncertainty is what attackers exploit indirectly. Security teams delay enforcement because they fear breaking things. Attackers do not need every tenant to be vulnerable forever; they need enough tenants to postpone cleanup long enough for campaigns to run.
The lesson is not that every organization should flip the switch blindly this afternoon. The lesson is that device-code flow deserves the same governance once applied to legacy authentication protocols. If a flow is rarely needed and frequently abused, “enabled by default because nobody complained” is not a security strategy.

User Training Needs a New Sentence​

Traditional phishing training taught users to inspect links, distrust attachments, and be wary of login pages. Those lessons still matter, but Kali365 requires a sharper instruction: never enter a device code from an unsolicited email, Teams message, chat, or document prompt unless you personally initiated the sign-in on a device in front of you.
That sentence is more useful than telling users to “watch for suspicious emails.” The whole point of the attack is that the final Microsoft page may not be suspicious. The suspicious part is the request that led the user there.
Organizations should also stop treating all MFA prompts as benign friction. Prompt fatigue attacks already trained defenders to worry when users approve sign-ins they did not initiate. Device-code phishing belongs in the same mental bucket. If the user did not start the sign-in, the correct answer is to stop.
The challenge is that workflows have taught employees to obey strange authentication rituals. Cloud software constantly asks people to reconnect accounts, approve access, confirm sessions, and follow links from automated messages. Attackers succeed because the modern workplace has normalized interruption.

The Consumer Risk Is Real but Different​

Kali365 coverage often names Outlook, Teams, and OneDrive, which naturally alarms individual Microsoft account users. The everyday-user risk is real, especially for freelancers, small-business owners, and anyone who uses Microsoft services as their primary identity hub. A stolen account can expose personal files, tax documents, contacts, photos, and recovery emails for other services.
But the bigger payoff is usually organizational. Microsoft 365 business tenants provide attackers with richer data and more ways to monetize access. A single compromised employee account may become a launchpad for invoice fraud, payroll diversion, vendor impersonation, or reconnaissance against executives.
Small businesses sit in the worst position. They use the same cloud identity machinery as enterprises but often lack dedicated identity engineers, security operations staff, and mature logging. They may have MFA enabled and assume that means the major risk is handled.
That assumption is now out of date. For small organizations, the practical advice is blunt: review tenant security defaults, use Conditional Access where licensing allows, investigate whether device-code flow can be blocked, and treat unexpected device-code prompts as account compromise attempts.

Telegram Is the Marketplace, Not the Root Cause​

Reports that Kali365 is promoted through Telegram will tempt some readers toward the usual platform-blame cycle. Telegram matters because it is a common distribution and support channel for cybercrime services. But focusing too much on the marketplace misses the larger industrial shift.
Cybercrime has become SaaS-like because SaaS won. Criminal operators borrow the language and mechanics of legitimate software: subscriptions, dashboards, templates, customer support, feature updates, and tiered pricing. Kali365 is disturbing not because criminals discovered Telegram, but because identity attacks now have product-market fit.
That industrialization changes defender economics. A technique that once appeared in targeted campaigns can be rented, copied, localized, and sprayed across industries. Once a kit abstracts away the hard parts, the limiting factor becomes social engineering reach rather than technical capability.
This is where AI-generated lures add pressure. The phrase should not be treated as magic; plenty of phishing was effective before large language models. But automated, fluent, role-specific messaging makes it easier to scale believable pretexts across languages, industries, and business functions.

The FBI Warning Is Also a Message to IT Leadership​

The FBI’s public service announcement is written for broad awareness, but its real audience includes CIOs, CISOs, managed service providers, and administrators who can change tenant policy. Users can be told not to enter codes. Administrators can make many of those codes useless.
That difference matters because responsibility for this attack cannot be pushed entirely onto employees. If a tenant allows device-code flow broadly, and if users are constantly exposed to confusing authentication prompts, then a successful phish is not merely an individual mistake. It is a predictable outcome of permissive configuration and overloaded trust signals.
A serious response starts with logs. Security teams should review device-code authentication events, especially for privileged users, unusual locations, unfamiliar devices, and unexpected applications. They should inspect active sessions, revoke suspicious tokens, review OAuth grants, and look for mailbox rules or forwarding behavior that suggests post-compromise persistence.
They should also rehearse the incident path. When a user reports that they entered a device code, the help desk should not respond as if this were a simple password reset. The right playbook is token-centric: revoke sessions, reset credentials if needed, review sign-ins, check consent and app activity, and hunt for downstream abuse.

The Passwordless Future Has Its Own Phishing Problem​

Microsoft and the broader industry have been pushing toward passwordless authentication for good reasons. Passwords are reused, phished, leaked, guessed, sprayed, and sold. Passkeys, hardware-backed credentials, and stronger device-bound authentication can remove entire categories of credential theft.
Kali365 does not disprove the passwordless project. It does, however, show that removing passwords does not remove social engineering. Attackers adapt from stealing secrets to manipulating ceremonies.
The future of identity security will depend less on whether users can memorize better passwords and more on whether authentication flows are bound to the right device, the right app, the right context, and the right intent. A user approving access for a device they do not control is still a security failure, even if no password changes hands.
That is why device-bound credentials, phishing-resistant MFA, and tighter app consent governance matter. The industry needs authentication that is not only hard to steal, but hard to misdirect. The user should not be the routing layer for an attacker’s session.

This Is Where the Code Prompt Becomes the Red Flag​

Kali365’s practical lesson is narrow enough to be teachable and broad enough to affect nearly every Microsoft 365 tenant. The code prompt is no longer an obscure login convenience. It is now a high-value social engineering object.

• If a user did not personally start a device sign-in, they should not enter a device code, even on a real Microsoft page.
• Microsoft 365 administrators should inventory device-code flow usage before deciding which exceptions, if any, are truly necessary.
• Conditional Access can restrict or block device-code flow, but organizations should test policies in report-only mode before enforcement.
• A suspected Kali365 compromise should trigger token and session revocation, not just a password reset.
• MFA remains essential, but it should be paired with phishing-resistant methods and policies that reduce risky authentication flows.
• Small businesses and managed service providers should treat this as a tenant-configuration issue, not merely a user-awareness campaign.

The uncomfortable truth is that Kali365 succeeds by making the secure path look routine. It does not need to defeat Microsoft 365 so much as borrow Microsoft’s own authentication choreography and persuade the victim to finish the dance. The next phase of cloud security will belong to organizations that treat identity flows as attack surfaces, not conveniences, and that design their tenants so a single copied code cannot become the front door to the business.

---

References​

1. Primary source: Rolling Out
   Published: 2026-06-15T13:24:07.757535
   
   

   FBI issues urgent warning over 5 dangerous Microsoft 365

   The FBI warns Microsoft 365 users of a dangerous phishing scheme called Kali365 that bypasses multifactor authentication without needing a password.

   rollingout.com
2. Independent coverage: Jang
   Published: 2026-06-15T13:12:07.757824
   
   

   FBI issues urgent warning: New ‘Kali365’ scam targets Microsoft 365 users

   The FBI has issued an urgent warning regarding a sophisticated new phishing platform called “Kali365” that is successfully targeting Microsoft 365 users.Unlike typical scams that aim to steal your password, this tool bypasses...

   jang.com.pk
3. Related coverage: techradar.com
   
   

   FBI warns of Kali phishing scam hitting Microsoft OAuth tokens — warns 'Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures' | TechRadar

   A new phishing kit is being offered on Telegram

   www.techradar.com
4. Related coverage: techrepublic.com
   
   

   FBI Warns: ‘Kali365’ Phishing Service Targets Microsoft 365 Accounts

   The FBI warned that Kali365 can hijack Microsoft 365 accounts by abusing device code authentication and capturing OAuth tokens.

   www.techrepublic.com
5. Related coverage: techtimes.com
   
   

   Microsoft 365 Phishing Kit Kali365 Bypasses MFA: FBI Warns Hundreds of Organizations Targeted

   Microsoft 365 phishing attacks now bypass MFA entirely: a criminal subscription service called Kali365 tricks users into granting account access through legitimate Microsoft login pages, letting

   www.techtimes.com
6. Related coverage: theregister.com
   
   

   FBI warns of Kali365 as device code phishing soars

   MFA? No problem, says crimeware that tricks users into handing attackers the keys to M365

   www.theregister.com

Spoiler: Additional references (8)

1. Related coverage: cybersecuritydive.com
   
   

   FBI warns about PhaaS platform used to access Microsoft 365 environments | Cybersecurity Dive

   Device code phishing enabled hackers to bypass multifactor authentication without credentials.

   www.cybersecuritydive.com
2. Related coverage: malwarebytes.com
   
   

   Kali365 phishing kit bypasses MFA and steals Microsoft logins | Malwarebytes

   The FBI has warned that attackers are using a new phishing kit to gain long-term access to Microsoft Outlook, Teams, and OneDrive accounts.

   www.malwarebytes.com
3. Related coverage: thecybersignal.com
   
   

   FBI Warns of Kali365 Phishing Kit Stealing Microsoft 365 Tokens

   The FBI's IC3 warned of Kali365, a Telegram-sold phishing kit that runs device-code phishing to steal Microsoft 365 OAuth tokens after victims pass MFA.

   www.thecybersignal.com
4. Related coverage: brightnexus.com
   
   

   FBI Warns of Kali365 Phishing Platform Targeting Microsoft 365 Accounts | Bright Nexus

   SeverityHigh Detail The Federal Bureau of Investigation (FBI) has issued a warning regarding an emerging phishing-as-a-service (PhaaS) platform known as “Kali36

   www.brightnexus.com
5. Related coverage: purpleshieldsecurity.com
   
   

   FBI Warns of Kali365 Phishing Kit Hijacking Microsoft 365

   The FBI warns Kali365, a phishing-as-a-service kit, hijacks Microsoft 365 tokens and bypasses MFA. What it means for your business and how to respond.

   www.purpleshieldsecurity.com
6. Related coverage: cyberscoop.com
   
   

   FBI warns about fast-growing phishing kit targeting Microsoft 365 users | CyberScoop

   Kali365, which was first observed in April, abuses legitimate Microsoft device authorization pages to grant persistent access to cybercriminal-controlled applications.

   cyberscoop.com
7. Related coverage: kiplinger.com
   
   

   New Scam Targets Microsoft Users, FBI Warns. Here's How to Protect Yourself | Kiplinger

   This phishing scam doesn't rely on a fake website. Instead, it tricks users into approving access themselves.

   www.kiplinger.com
8. Related coverage: itpro.com
   
   

   FBI warns Microsoft 365 users about another phishing as a service attack – here's how to avoid it | IT Pro

   Kali365 platform is serious enough to garner a warning from the FBI

   www.itpro.com

 

[ChatGPT]

The FBI warned on May 21, 2026, that Kali365, a phishing-as-a-service platform distributed primarily through Telegram, is being used to hijack Microsoft 365 accounts by abusing OAuth device code authentication and stealing access tokens without capturing passwords. The warning matters because it turns a legitimate Microsoft sign-in convenience into an account-takeover path that many users have never been trained to recognize. This is not a story about gullible people clicking bad links; it is a story about attackers industrializing trust itself.

Kali365 Turns Microsoft’s Legitimate Login Flow Into the Lure​

The unsettling part of the Kali365 warning is that the victim may never see a fake Microsoft login page. In the classic phishing model, defenders taught users to look for misspelled domains, broken branding, suspicious redirects, and password forms that felt just a little off. Device code phishing sidesteps much of that muscle memory by pointing the user toward a real Microsoft verification page.
The attacker starts the device authorization process on their own system, receives a short-lived code, and then persuades the victim to enter that code as if it were needed to open a document, join a meeting, review a file, or complete a security check. If the victim completes the flow, the attacker’s device receives tokens tied to the victim’s Microsoft 365 session. The password was never handed over, but access may still be granted.
That distinction is why Kali365 feels like an escalation rather than a novelty. Multifactor authentication did not necessarily “fail” in the way users understand failure. The attacker manipulated a trusted authentication workflow so the victim effectively authorized the attacker’s session.
For Microsoft 365-heavy organizations, the blast radius is obvious. Outlook is where business conversations live, Teams is where internal trust is negotiated in real time, OneDrive and SharePoint are where documents accumulate, and Entra ID sits behind much of the access model. A foothold in one account can become a foothold in the organization’s social graph.

The Scam Works Because the Microsoft Page Is Real​

Security awareness training has spent years telling users not to enter credentials on strange websites. Kali365 exploits the gap between that advice and modern identity flows. A user who sees a legitimate Microsoft page may think the danger has passed, when in this attack the real page is the mechanism.
Device code flow exists for good reasons. It helps users authenticate devices that are awkward to type on, such as shared devices, conference-room hardware, Teams devices, printers, IoT-style endpoints, and command-line tools. The problem is not that Microsoft built a reckless feature; the problem is that a workflow designed for constrained devices can be socially engineered into a remote authorization ceremony.
The attacker’s pitch is simple: here is a code, enter it to view the document. The victim does not have to type a password into a fake form. The victim does not have to approve an obviously foreign push notification. The victim is asked to do something that looks administrative, routine, and plausibly Microsoft-flavored.
That makes the attack especially dangerous in organizations where Microsoft 365 has become the default surface for everything. Users are accustomed to document permissions, Teams meeting prompts, security verification flows, and occasional reauthentication. The more normal those interruptions feel, the easier it becomes for a malicious prompt to blend into the workday.

Phishing-as-a-Service Makes the Weird Attack Repeatable​

Kali365 is significant not merely because it abuses device code flow, but because it reportedly packages the attack for broader use. Phishing-as-a-service platforms are the ransomware affiliate model applied to credential theft: the operator provides infrastructure, templates, dashboards, automation, and sometimes support, while customers bring targets and ambition.
That model lowers the skill floor. A technique that once required fluency in OAuth flows, token handling, lure construction, and campaign operations can become a subscription product. The FBI’s warning describes a marketplace dynamic in which less technical actors can obtain Microsoft 365 access tokens and bypass common protections without building the machinery themselves.
The subscription framing also matters because it encourages iteration. A one-off phishing kit may burn out quickly. A service has incentives to improve deliverability, rotate infrastructure, add templates, automate tracking, and respond to defensive changes. The criminal vendor wants churn to go down and conversion rates to go up.
Reports around Kali365 also describe artificial intelligence being used to generate more convincing lures and automate parts of campaign management. That does not mean the attack is magic, and it does not mean every message will read like it came from a trusted executive. It means the cost of producing plausible, localized, role-aware bait continues to fall.

The Password Is No Longer the Prize​

For years, the endpoint of phishing was obvious: steal the password. Then attackers adapted to MFA by stealing session cookies, proxying sign-ins through adversary-in-the-middle kits, spamming approval prompts, or tricking help desks into resets. Kali365 belongs to the next familiar stage of that evolution: go after tokens and authorization flows rather than static secrets.
Tokens are attractive because they represent already-granted access. If an attacker obtains the right token, they may not need to know the victim’s password at all. Depending on tenant configuration, token lifetime, conditional access rules, sign-in risk detection, and revocation speed, that access can be enough to read mail, enumerate files, impersonate the user, and continue the intrusion.
This is why the phrase “bypass MFA” can be both accurate and misleading. It is accurate in the practical sense that the attacker may gain access even when the victim’s account has multifactor authentication enabled. It is misleading if readers take it to mean MFA is useless. MFA remains essential, but it is not a universal shield against attacks that abuse legitimate post-authentication or delegated authorization paths.
The better lesson is that identity defense has to move beyond the password-and-prompt mental model. Administrators need to know which flows are allowed, which apps can request tokens, which sessions are being refreshed, and which authentication methods are rarely used but widely exposed. Attackers are looking for the seams between those controls.

Microsoft 365 Is the Prize Because It Is the Workplace​

The focus on Teams, Outlook, OneDrive, and related Microsoft 365 services is not incidental. Microsoft 365 is not just an application suite; for many organizations, it is the operational memory of the company. It contains meeting context, finance threads, HR documents, supplier negotiations, incident response notes, and informal signals about who trusts whom.
A compromised mailbox remains one of the most valuable assets in cybercrime. It can be searched for invoices, password reset messages, sensitive attachments, and ongoing business deals. It can be used to launch internal phishing from a trusted identity, making the next wave harder to spot than the first.
Teams adds immediacy. A message from a known colleague asking someone to review a file or approve a workflow may feel more urgent than an email from an unknown sender. If attackers can pivot into collaboration channels, they can exploit the habits that make chat useful: speed, informality, and trust.
OneDrive and SharePoint complete the loop. The lure may pretend to be a document, and the prize may be actual documents. In an era when collaboration links are routine, users have been conditioned to expect access friction and permission prompts. Kali365 exploits that conditioning.

The FBI Warning Is Really a Warning About Default Exposure​

The FBI’s public service announcement names Kali365, but the defensive lesson is broader than a single kit. Device code phishing has been observed before, including in campaigns tracked by security researchers and Microsoft. The arrival of a named phishing-as-a-service platform simply makes the risk harder to dismiss as exotic.
The core question for administrators is blunt: does your tenant need device code flow for broad populations? In many organizations, the answer is no, or at least “not for everyone.” Microsoft’s own guidance recommends getting as close as possible to a unilateral block, then carving out documented exceptions for legitimate scenarios that cannot yet move to safer methods.
That is a cultural shift for IT. Historically, compatibility often won by default: leave the flow enabled because some device, script, Teams Room, printer, or developer tool might need it. Kali365 flips the burden of proof. If attackers are actively abusing a rarely needed authentication path, the safer default is to block first, then justify exceptions.
There are caveats. Teams Rooms and other shared Teams devices may rely on device code flow during registration or reauthentication. Some developer and command-line workflows may use it as well. But those are not arguments for leaving the door open tenant-wide; they are arguments for inventory, scoping, exception groups, monitoring, and recurring review.

Blocking the Flow Is Simple Until the Business Finds Its Exceptions​

On paper, the administrative response is straightforward. Microsoft Entra Conditional Access can target authentication flows and block device code flow. Organizations can run policies in report-only mode, inspect sign-in logs, identify legitimate usage, and then enforce a block with limited exceptions.
In practice, identity plumbing is rarely clean. An organization may discover that a conference-room device, a legacy admin script, a developer tool, or a forgotten operational workflow depends on device code flow. The first week of mitigation can become a negotiation between security and availability.
That is why the right rollout is deliberate but not timid. Administrators should use report-only mode to map current use, but they should not let audit mode become a permanent parking lot. Every legitimate dependency needs an owner, a reason, a narrower scope, and a plan to revisit it.
Break-glass accounts deserve particular care. They should be excluded from policies only when necessary and monitored aggressively. A broad exclusion meant to prevent lockouts can become an attacker’s favorite path through the environment.

User Training Has to Change From “Spot the Fake Site” to “Don’t Authorize What You Didn’t Start”​

The user-facing guidance for Kali365 is deceptively simple: do not enter device codes or approve login prompts that you did not initiate. The challenge is making that sentence operational in a workplace full of legitimate prompts. Users are constantly asked to authenticate, verify, approve, consent, and continue.
Security teams should be explicit about what a legitimate device code flow looks like inside their organization. If ordinary users should almost never see one, say that plainly. If only conference-room devices, managed Teams hardware, or specific IT-led workflows use it, publish that as policy.
The phrase “verification code” is especially dangerous because users have been trained to treat codes as proof of security. In this attack, the code is not proving the user’s identity to the user; it is connecting the attacker’s session to the user’s account. That inversion needs to be explained in human language.
A useful rule is: if someone sends you a code and tells you to enter it into a Microsoft page, stop. Codes that arrive as part of a process you initiated are different from codes embedded in unsolicited messages. The distinction sounds basic, but it is exactly where device code phishing lives.

AI Makes the Lure Cheaper, Not the Defense Hopeless​

The AI angle in Kali365 reporting should be neither ignored nor inflated. AI-generated phishing is not automatically brilliant. Plenty of AI-written scams remain generic, awkward, or easy to flag. But the relevant change is scale and adaptation, not literary quality.
Attackers can generate many variants quickly, tune tone to a department, translate messages more convincingly, and test which lures work. A small criminal crew no longer needs a fluent business writer to produce credible document-sharing emails. A phishing-as-a-service operator can fold those capabilities into templates and campaign tooling.
For defenders, that means content alone is a weaker signal. Grammar, formatting, and tone still matter, but they cannot be the foundation of the program. The control plane has to assume that some lures will look good, some messages will arrive from compromised accounts, and some users will be tired at exactly the wrong moment.
The answer is not to tell users to become forensic linguists. The answer is to remove unnecessary authentication paths, restrict risky flows, monitor token activity, harden consent and app permissions, and make suspicious authorization requests easy to report. Awareness helps, but architecture decides how bad the mistake can become.

The Real Test Is Token Hygiene After the Click​

Once a device code phishing attempt succeeds, the incident is not over when the password is reset. That is one of the traps in token-centric compromise. If the attacker gained access through tokens, defenders need to revoke sessions, invalidate refresh tokens where appropriate, review sign-in logs, inspect mailbox rules, check OAuth app grants, and hunt for lateral movement.
Mailbox rules are a classic post-compromise artifact. Attackers may create forwarding rules, hide messages, delete security alerts, or monitor replies to business email compromise threads. OneDrive and SharePoint access should be reviewed for suspicious downloads, sharing changes, and access from unusual geographies or devices.
Teams activity also deserves scrutiny. If the compromised identity sent messages, posted links, or contacted colleagues, the organization may be dealing with secondary victims. A quick password reset without communications follow-up can leave the next stage of the attack alive.
The timing matters. Device code tokens are time-bound, but attackers move quickly. Automated campaign dashboards can show when a target has completed a step, allowing the operator to act while the session is fresh. Detection and response processes need to treat suspicious device code events as active account compromise, not merely failed phishing.

Windows Shops Should Treat This as an Entra ID Governance Problem​

For Windows-centric environments, the instinct may be to frame Kali365 as an email-security issue. That is only partly right. Secure email gateways, Defender for Office 365 policies, anti-phishing rules, and user-reporting buttons can reduce exposure. But the decisive control sits in identity governance.
Microsoft Entra ID is where administrators can see and restrict the authentication flows that make this attack possible. Conditional Access is where device code flow can be blocked or scoped. Sign-in logs are where teams can identify suspicious use and understand whether a session originated from device code flow even when later token refreshes do not look like the original event.
That makes Kali365 a test of whether organizations have matured beyond checkbox MFA. A tenant can have MFA enabled and still be exposed to risky flows. A tenant can have modern authentication and still leave old convenience paths open. A tenant can have great endpoint controls and still lose if identity telemetry is ignored.
Security teams should also pay attention to privileged users. Administrators, finance staff, executives, and help desk personnel are higher-value targets. Device code flow usage by those accounts should be rare, explainable, and heavily scrutinized.

The Cleanup Playbook Needs to Be Written Before the First Victim​

Organizations that wait until a user reports a strange code prompt are already behind. The Kali365 warning is a chance to write the playbook before the incident. That playbook should define prevention, detection, response, and communications in plain operational terms.
Prevention starts with policy. Block device code flow wherever possible, document exceptions, and review them. Use report-only mode to avoid avoidable outages, but set a deadline for enforcement. Make sure Teams devices and other legitimate dependencies are scoped carefully rather than granted broad user-based exemptions.
Detection requires looking for the right signals. Device code flow events, unusual locations, unfamiliar clients, unexpected resource access, token refresh activity, and impossible travel-style anomalies all matter. So do user reports of unsolicited codes and document-sharing messages that instruct recipients to complete unusual verification steps.
Response must assume account access, not just credential exposure. Revoke sessions, reset credentials where appropriate, review mailbox and file activity, inspect app grants, remove malicious rules, notify affected internal recipients, and preserve logs. The goal is to eliminate both the attacker’s current access and the persistence they may have planted.

The Defender’s Advantage Is Knowing Which Doors Should Never Open​

The practical upside is that device code flow is not a mystery feature that defenders cannot control. Microsoft has given administrators tools to restrict it, and the FBI’s warning gives security teams an executive-friendly reason to prioritize the work. Kali365 is dangerous, but it is not unstoppable.
The hard part is organizational discipline. Someone has to own the audit. Someone has to tell a department that a legacy workflow needs to change. Someone has to keep exception groups from becoming a junk drawer. These are not glamorous tasks, but they are the difference between a contained authentication risk and an evergreen intrusion path.
For smaller businesses, managed service providers have a particular role to play. Many SMB tenants inherit default settings and never revisit them until a compromise occurs. If an MSP manages multiple Microsoft 365 environments, Kali365 should trigger a fleet-wide review of device code flow exposure and incident response readiness.
For enterprises, the issue is scale and consistency. Conditional Access policies may differ across subsidiaries, test tenants, developer environments, and acquired companies. Attackers do not care whether the weak tenant is politically inconvenient to fix. They care whether it opens a path to mail, files, and trust.

The Kali365 Checklist Belongs on This Week’s Admin Calendar​

Kali365 is not just another phishing-kit name to memorize. It is a prompt to verify whether Microsoft 365 tenants still allow a high-risk authentication flow that many users do not understand and many organizations do not need. The immediate work is concrete enough to start now.

• Organizations should inventory device code flow usage in Microsoft Entra sign-in logs before assuming the feature is unused.
• Administrators should block device code flow with Conditional Access wherever possible and keep exceptions narrow, documented, and reviewed.
• Security teams should train users to reject unsolicited device codes, even when the verification page is a legitimate Microsoft page.
• Incident responders should treat successful device code phishing as token-based account compromise, not merely as a password-reset event.
• Teams Rooms, shared devices, developer tools, and legacy scripts should be checked carefully so necessary exceptions do not become tenant-wide loopholes.
• High-value accounts should be monitored for any device code flow activity that lacks a clear business reason.

The lesson of Kali365 is that modern phishing no longer has to counterfeit the whole front door; sometimes it only has to convince the user to unlock the real one from the inside. Microsoft 365 administrators can blunt this campaign by narrowing risky authentication paths, and users can help by refusing authorization rituals they did not initiate. The next wave of phishing will almost certainly keep moving toward tokens, consent, and trusted workflows, so the organizations that win will be the ones that treat identity configuration as living security infrastructure rather than a setup wizard completed years ago.

---

References​

1. Primary source: tippinsights
   Published: 2026-06-15T21:18:08.039864
   
   

   FBI Warns Microsoft 365 Users About Emerging Kali365 Scam

   According to the agency, Kali365 operates as a “Phishing-as-a-Service” platform that allows cybercriminals with limited technical expertise to launch sophisticated attacks against Microsoft account holders.

   tippinsights.com
2. Related coverage: theregister.com
   
   

   FBI warns of Kali365 as device code phishing soars

   MFA? No problem, says crimeware that tricks users into handing attackers the keys to M365

   www.theregister.com
3. Related coverage: techrepublic.com
   
   

   FBI Warns: ‘Kali365’ Phishing Service Targets Microsoft 365 Accounts

   The FBI warned that Kali365 can hijack Microsoft 365 accounts by abusing device code authentication and capturing OAuth tokens.

   www.techrepublic.com
4. Related coverage: techtimes.com
   
   

   Microsoft 365 Phishing Kit Kali365 Bypasses MFA: FBI Warns Hundreds of Organizations Targeted

   Microsoft 365 phishing attacks now bypass MFA entirely: a criminal subscription service called Kali365 tricks users into granting account access through legitimate Microsoft login pages, letting

   www.techtimes.com
5. Related coverage: malwarebytes.com
   
   

   Kali365 phishing kit bypasses MFA and steals Microsoft logins | Malwarebytes

   The FBI has warned that attackers are using a new phishing kit to gain long-term access to Microsoft Outlook, Teams, and OneDrive accounts.

   www.malwarebytes.com
6. Related coverage: techradar.com
   
   

   FBI warns of Kali phishing scam hitting Microsoft OAuth tokens — warns 'Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures' | TechRadar

   A new phishing kit is being offered on Telegram

   www.techradar.com

Spoiler: Additional references (6)

1. Related coverage: bvainc.com
   

   New FBI Alert: Kali365 Phishing Kit Bypasses Microsoft 365 MFA - BVA Technology Services

   The FBI’s Internet Crime Complaint Center (IC3) recently issued a Public Service Announcement (May 21, 2026) warning organizations about a rapidly emerging threat targeting Microsoft 365 environments: Kali365, a Phishing-as-a-Service (PhaaS) platform designed to bypass traditional security...

   www.bvainc.com
2. Related coverage: thecybersignal.com
   
   

   FBI Warns of Kali365 Phishing Kit Stealing Microsoft 365 Tokens

   The FBI's IC3 warned of Kali365, a Telegram-sold phishing kit that runs device-code phishing to steal Microsoft 365 OAuth tokens after victims pass MFA.

   www.thecybersignal.com
3. Related coverage: brightnexus.com
   
   

   FBI Warns of Kali365 Phishing Platform Targeting Microsoft 365 Accounts | Bright Nexus

   SeverityHigh Detail The Federal Bureau of Investigation (FBI) has issued a warning regarding an emerging phishing-as-a-service (PhaaS) platform known as “Kali36

   www.brightnexus.com
4. Related coverage: cybersecuritydive.com
   
   

   FBI warns about PhaaS platform used to access Microsoft 365 environments | Cybersecurity Dive

   Device code phishing enabled hackers to bypass multifactor authentication without credentials.

   www.cybersecuritydive.com
5. Related coverage: itpro.com
   
   

   FBI warns Microsoft 365 users about another phishing as a service attack – here's how to avoid it | IT Pro

   Kali365 platform is serious enough to garner a warning from the FBI

   www.itpro.com
6. Related coverage: kiplinger.com
   
   

   New Scam Targets Microsoft Users, FBI Warns. Here's How to Protect Yourself | Kiplinger

   This phishing scam doesn't rely on a fake website. Instead, it tricks users into approving access themselves.

   www.kiplinger.com

 

[ChatGPT]

On May 21, 2026, the FBI’s Internet Crime Complaint Center warned that Kali365, a phishing-as-a-service platform first seen in April, is being used to hijack Microsoft 365 accounts by abusing OAuth device-code authentication rather than stealing passwords. The alert matters because it targets the daily workbench of modern Windows life: Outlook, Teams, OneDrive, SharePoint, and the identity fabric behind them. This is not another reminder that users should “check the link before clicking.” It is a warning that the phishing economy has learned to exploit the parts of Microsoft 365 that users have been trained to trust.

The FBI Is Warning About the Login After the Login​

The uncomfortable part of the Kali365 story is that the victim can do what security training told them to do and still lose. The Microsoft sign-in page may be real. The MFA prompt may be real. The user may never type a password into a counterfeit form.
That is what makes device-code phishing so effective. The attacker initiates an OAuth device authorization flow, sends the victim a code, and persuades them to enter it at Microsoft’s legitimate verification page. Once the user completes authentication, including MFA if required, the tokens are returned to the device that started the flow — which, in this scenario, is controlled by the attacker.
The FBI’s public service announcement frames Kali365 as a platform that lowers the bar for criminals who might not otherwise be able to build a mature Microsoft 365 phishing operation. The kit reportedly offers AI-generated lures, campaign templates, tracking dashboards, and token-capture capability. That combination turns a technically subtle attack into something closer to a subscription business.
This is the same grim pattern defenders have seen across ransomware and credential theft: specialization wins. One group builds the tooling, another rents it, and a third launders or monetizes the access. Kali365 is dangerous not because device-code phishing is new, but because it packages the technique for broader use.

---

Microsoft 365 Became the Prize Because It Became the Office​

For most organizations, Microsoft 365 is no longer just email plus file storage. It is the directory, the collaboration layer, the document archive, the meeting room, the chat transcript, the workflow engine, and often the first hop into sensitive line-of-business systems. A stolen Microsoft 365 session is not a stolen inbox; it is a stolen office.
That is why Outlook, Teams, and OneDrive appear so often in consumer-facing headlines about the FBI warning. Those names are recognizable, and they are where users feel the pain. But the real target is the Microsoft identity layer that binds those services together.
Once an attacker has valid OAuth access and refresh tokens, the attack moves into a more dangerous phase. The intruder does not necessarily need the user’s password. They do not necessarily need to defeat MFA again. They have a way to act as the user until the token is revoked, expires, or is invalidated by policy.
That distinction matters for administrators. Password resets may be necessary after a suspected compromise, but they are not sufficient if active sessions and refresh tokens remain valid. The old mental model — “change the password and move on” — is obsolete in a cloud identity world.

MFA Did Its Job, and That Is the Problem​

It is tempting to describe Kali365 as “bypassing MFA,” and that shorthand is not entirely wrong. The attacker can gain access without intercepting the password or directly stealing the MFA code. But the more precise and more troubling point is that MFA may have succeeded exactly as designed.
Device-code flow exists for legitimate reasons. It helps users sign in on devices that lack a normal browser or comfortable input method: meeting-room hardware, shared devices, smart displays, some Teams devices, developer tools, and other constrained environments. The user completes authentication on a second device, and the original device receives the token.
Kali365 abuses that trust boundary. The user believes they are unlocking a document, joining a Teams resource, or completing a routine Microsoft verification step. In reality, they are authorizing an attacker-controlled session.
This is why the usual advice to “look for the padlock” has aged badly. The padlock only tells the user that the connection to the site is encrypted and, in this case, perhaps that the site is genuinely Microsoft’s. It does not tell the user whether the authorization request is safe, expected, or connected to the task they think they are performing.

The Phishing Page Is Becoming the Least Interesting Part of Phishing​

For years, anti-phishing guidance focused on counterfeit login pages. The attacker cloned a Microsoft sign-in screen, harvested a password, and then tried to race past MFA or reuse the credential somewhere else. Defenders responded with MFA, passwordless authentication, domain protections, user training, and browser warnings.
The modern phishing kit has adapted. It does not always need to impersonate the login page anymore. It can steer the user into a real login page while manipulating the context around the login.
That shift changes the defender’s job. The question is no longer only whether users can spot a fake Microsoft page. It is whether the organization can constrain which authentication flows are allowed, which devices can receive tokens, and which sessions deserve continued trust.
Kali365 is part of a wider movement toward token theft and adversary-in-the-middle tradecraft. Attackers increasingly want the thing that appears after authentication: the session, the token, the cookie, the delegated access. The password is still useful, but it is no longer the only prize.
This is also why phishing-as-a-service platforms are so damaging. They industrialize the difficult parts: lure generation, infrastructure setup, session tracking, and evasion. A mediocre criminal can run a better campaign when the platform abstracts away the expertise.

---

Telegram Is the Mall, Not the Mastermind​

The FBI says Kali365 has primarily been distributed through Telegram. That detail is worth noting, but it should not become a distraction. Telegram is the storefront, not the underlying vulnerability.
Underground tool distribution has long followed users to platforms that offer reach, resilience, and semi-private communities. Telegram channels and groups are convenient for advertising kits, handling subscriptions, posting updates, and building a reputation. If one platform becomes less useful, the market moves.
The more important point is that phishing has become productized. Kali365 is described less like a one-off criminal script and more like software sold to operators: campaigns, templates, dashboards, automation, and capture features. That is the language of SaaS, and the irony is not accidental.
Security teams should resist the comforting belief that taking down one channel or one kit solves the problem. It may disrupt a specific operation, but the underlying demand remains. As long as Microsoft 365 accounts are valuable and authentication flows can be socially engineered, replacement services will appear.

The Device-Code Flow Was a Usability Feature Before It Was an Attack Surface​

Microsoft’s device-code flow is not a bug in the simple sense. It is a legitimate OAuth flow designed around a real usability problem. Not every device has a keyboard, a browser, or a pleasant way to enter complex credentials.
The trouble is that every usability shortcut becomes an attacker’s question: can this be made to happen in the wrong context? Device-code authentication assumes the user understands which device they are authorizing. Phishing breaks that assumption.
In an enterprise, that assumption is especially fragile. Employees receive document links, Teams invites, SharePoint notifications, HR portals, invoice approvals, vendor requests, and meeting updates all day. A prompt that says “enter this code to continue” may feel like friction, but not necessarily like danger.
The user is not always careless. They are often busy, interrupted, and operating inside a system that constantly asks them to approve, authenticate, sync, consent, and continue. Kali365 works because it hides inside the normal tempo of cloud work.

The Real Fix Lives in Entra, Not in the User’s Inbox​

The FBI’s most important mitigation is not a new awareness slogan. It is a configuration change: restrict or block device-code flow using Conditional Access policies. Microsoft’s own guidance has been moving in the same direction, recommending that organizations get as close as possible to a unilateral block where the flow is not needed.
That is a significant admission about the balance of risk. Device-code flow is useful, but for many tenants it is rarely necessary for ordinary users. If attackers use it more often than legitimate staff do, the default should change.
For Microsoft 365 administrators, the practical path is staged rather than theatrical. Inventory current device-code usage in sign-in logs. Put a Conditional Access policy into report-only mode. Identify legitimate dependencies, especially Teams Rooms and shared Teams devices. Then move toward blocking the flow broadly while maintaining narrow, documented exceptions.
The exception design matters. A sloppy exclusion can preserve the very exposure the policy is meant to close. Broadly exempting users because one device or tool needs device-code flow is the identity-management equivalent of leaving the side door unlocked because the front door has a smart lock.

Teams Rooms and Developer Tools Are Where Good Policy Gets Messy​

The cleanest security advice is usually written for a clean environment. Real tenants are not clean. They have Teams Rooms, legacy scripts, shared devices, admin tools, automation, and developers who have been using command-line sign-ins for years.
That is why blocking device-code flow should not be done as a blind switch-flip across a complex organization. Microsoft’s guidance points administrators toward report-only testing and exception groups because legitimate device-code dependencies do exist. Teams devices, in particular, can require careful scoping so room systems keep working while user accounts are protected.
The operational challenge is to avoid turning exceptions into permanent blind spots. Every exception should have an owner, a reason, and a review cadence. If the exception exists because of a legacy workflow, the organization should ask whether that workflow can move to a safer authentication method.
For developers and IT staff, the lesson is equally blunt. Convenience authentication paths that made sense in a trusted environment now need to be justified. If a tool can use browser-based sign-in, brokered authentication, managed identities, or workload identity federation, it should not rely on a high-risk flow merely because that flow is familiar.

---

Users Still Matter, but They Are No Longer the Firewall​

None of this means user training is useless. A user who recognizes a suspicious device-code prompt can stop the attack before it becomes a session. But the Kali365 warning should end the fantasy that training is the primary control.
The more convincing the lure, the less fair it is to make the user the final line of defense. AI-generated phishing text can remove obvious grammar mistakes. Campaign templates can mimic familiar workflows. The use of a legitimate Microsoft page deprives users of one of the few visual cues they have been told to trust.
A better user-facing message is specific: do not enter a Microsoft device code unless you personally initiated sign-in on a device you control or are setting up. A code sent through email, chat, or a document link should be treated as hostile unless independently verified. That is sharper than “be careful with links,” because it describes the attack behavior.
Security teams should also make reporting easy. If a user suspects they entered a device code, the response window is short. The organization needs a way to revoke sessions, inspect sign-in logs, and investigate token use without turning every report into a blame exercise.

The Consumer Microsoft Account Problem Is Harder​

The FBI alert is most actionable for organizations that manage Microsoft 365 through Entra ID and Conditional Access. Consumers using Outlook.com, OneDrive, or personal Microsoft accounts do not have the same policy levers. They cannot simply create a tenant-wide Conditional Access rule.
That does not mean they are powerless, but it does mean the advice becomes more behavioral and reactive. Users should be skeptical of any message that asks them to enter a device code to view a file, join a meeting, or unlock an account. They should review account activity, remove unfamiliar devices or sessions where possible, and change passwords if compromise is suspected.
For consumers, app consent and account recovery settings also matter. A compromised account can become a platform for further attacks against contacts, cloud files, and stored communications. The damage is not limited to the original sign-in.
Microsoft could do more here. Consumer experiences need clearer warnings when a device-code flow is being used, better language explaining where the authorization will land, and stronger anomaly detection when the requesting device, geography, or session context looks wrong. The safest enterprise control is policy; the safest consumer control may have to be product design.

The PSA Is Also a Warning About Security Theater​

The Kali365 story exposes a familiar weakness in corporate security culture: controls are often celebrated after deployment and neglected after attackers route around them. MFA was a necessary improvement, but too many organizations treated it as a finish line. It was always a checkpoint.
The same mistake can happen with Conditional Access. A tenant can have impressive-looking policies and still allow a risky authentication flow for every user. It can require MFA for admins while leaving token theft detection immature. It can block legacy authentication but fail to monitor newer OAuth abuse.
Security posture is not the list of products in the stack. It is the set of assumptions that remain true when an attacker behaves creatively. Kali365 attacks the assumption that a successful Microsoft login means the right device received the resulting trust.
That is the part administrators should take personally. The problem is not that Microsoft 365 is uniquely bad; it is that identity has become the control plane, and every control plane attracts specialized attack tooling. If the organization depends on Microsoft 365, then Microsoft 365 authentication policy is not plumbing. It is frontline defense.

---

Token Theft Turns Incident Response Into a Session Hunt​

When a password is stolen, responders know the classic steps: reset it, check for forwarding rules, review sign-ins, and look for persistence. Token theft complicates that playbook because the attacker may already have a valid session that survives the user’s belief that the account has been “secured.”
A serious response should include revoking refresh tokens and sessions, reviewing OAuth grants, checking mailbox rules, inspecting Teams activity, and looking for unusual OneDrive or SharePoint access. The investigation should not stop at the inbox. In Microsoft 365, lateral movement can be a document share, a Teams message, a malicious app consent, or a quiet download of sensitive files.
Sign-in logs become crucial. Administrators should look for device-code authentication, unusual locations, unfamiliar user agents, impossible travel, and access patterns that do not fit the user’s normal work. Microsoft’s newer logging around authentication flows and original transfer methods is particularly relevant because protocol tracking can reveal sessions rooted in device-code use.
The hardest incidents will be the quiet ones. An attacker with access to a mailbox and cloud files may not immediately send spam or trigger obvious alarms. They may read, search, download, and wait. That is why token theft should be treated as potential data exposure, not just account inconvenience.

This Is a Microsoft Problem, but Not Only Microsoft’s Problem​

It is fair to ask what Microsoft should do when a legitimate authentication flow becomes a favored phishing path. The company has already provided Conditional Access controls to restrict device-code flow, and it recommends blocking the flow wherever possible. That is useful, but it also shifts a great deal of responsibility onto administrators.
Microsoft has a difficult balance to strike. Device-code flow supports real devices and workflows, and abruptly disabling it everywhere would break customers. But leaving it broadly available by default gives attackers a reliable social-engineering route into tenants that have not tuned their identity policies.
The answer likely lies in progressive hardening. Risky flows should be more constrained by default, more visibly explained to users, and easier for admins to inventory. Tenants with no observed legitimate device-code usage should be nudged more aggressively toward blocking it. Admin portals should surface high-risk authentication flow exposure as a first-class security finding, not as a buried configuration option.
Still, organizations cannot outsource this entirely. Microsoft can supply controls and warnings, but tenant owners decide whether old exceptions linger, whether logs are monitored, and whether identity policy reflects how users actually work. Kali365 is a vendor problem and a customer problem at the same time.

The Small Print of “Urgent” Is That Many Fixes Are Boring​

Consumer headlines about the FBI issuing an “urgent PSA” are designed to produce alarm. That alarm is not misplaced, but the remedy is not cinematic. The most important fixes are the boring ones: configuration review, log analysis, Conditional Access testing, exception management, and user reporting.
That is often how cloud security works now. The breach path is dramatic, but the defense is administrative hygiene. A tenant with blocked device-code flow, narrow exceptions, strong session revocation procedures, and alerting on unusual authentication behavior is in a much better position than one that merely tells employees not to click suspicious links.
The irony is that the most actionable FBI recommendation is something many administrators can begin today. They do not need to wait for a new product, a new license tier in every case, or a dramatic takedown. They need to determine whether device-code flow is necessary and, if not, turn it off.
The organizations that struggle will be the ones that do not know their own authentication dependencies. Kali365 punishes that uncertainty. If IT cannot say who uses device-code flow and why, attackers will happily answer the question first.

The Kali365 Warning Leaves Administrators With a Short Checklist and a Long Memory​

The practical lesson from the FBI alert is narrower than “Microsoft users are at risk” and broader than “watch out for one phishing kit.” Kali365 is a reminder that identity controls must be reviewed as attack techniques change, especially when criminals start packaging those techniques for mass use.

• Organizations should audit Microsoft Entra sign-in logs for device-code flow and related protocol-tracked sessions before deciding which exceptions are truly necessary.
• Administrators should create Conditional Access policies that block device-code flow by default, using report-only mode before enforcement in complex environments.
• Teams Rooms, shared Teams devices, developer tools, and legacy workflows should receive narrow, documented exceptions rather than broad user-based carve-outs.
• Incident responders should revoke sessions and refresh tokens after suspected compromise instead of relying only on password resets.
• Users should treat any unsolicited request to enter a Microsoft device code as suspicious, even when the verification page itself is legitimate.
• Security teams should report suspected Kali365 activity to the FBI and preserve logs quickly, because token-based intrusions can become quiet data-access incidents.

The FBI’s Kali365 warning is not the death of MFA, and it is not proof that Microsoft 365 cannot be defended. It is proof that attackers have moved to the space around authentication, where trust is delegated, refreshed, and reused. The next phase of Windows and Microsoft 365 security will be won less by teaching users to fear every link and more by making dangerous authentication paths rare, visible, and tightly governed before the next phishing service turns them into a commodity.

---

References​

1. Primary source: UNILAD Tech
   Published: None
   
   

   FBI issue urgent PSA to anyone using Microsoft Teams, Outlook or OneDrive

   The FBI has issued a new urgent PSA regarding a phishing scam that impact anyone using Microsoft services like Teams, Outlook, or OneDrive

   www.uniladtech.com
2. Related coverage: techradar.com
   
   

   FBI warns of Kali phishing scam hitting Microsoft OAuth tokens — warns 'Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures' | TechRadar

   A new phishing kit is being offered on Telegram

   www.techradar.com
3. Related coverage: techrepublic.com
   
   

   FBI Warns: ‘Kali365’ Phishing Service Targets Microsoft 365 Accounts

   The FBI warned that Kali365 can hijack Microsoft 365 accounts by abusing device code authentication and capturing OAuth tokens.

   www.techrepublic.com
4. Related coverage: ebisuda.net
   
   

   FBIがMicrosoft 365を狙うフィッシングサービス「Kali365」に警告——MFAをバイパスするOAuthデバイスコード認証悪用 | ebisuda.net

   FBIがM365を標的にするPhaaS「Kali365」を警告。OAuthデバイスコード認証を悪用してMFAを回避しセッショントークンを窃取する

   www.ebisuda.net
5. Related coverage: cside.com
   
   

   MFA Didn't Fail, the Trust Model Did: Device Code Phishing and OAuth Token Theft (Kali365) - cside Blog

   Kali365 abuses the OAuth 2.0 device authorization grant to steal Microsoft 365 tokens after MFA. A technical breakdown of the flow, FOCI, and detection.

   cside.com
6. Related coverage: thecybersignal.com
   
   

   FBI Warns of Kali365 Phishing Kit Stealing Microsoft 365 Tokens

   The FBI's IC3 warned of Kali365, a Telegram-sold phishing kit that runs device-code phishing to steal Microsoft 365 OAuth tokens after victims pass MFA.

   www.thecybersignal.com

Spoiler: Additional references (10)

1. Related coverage: malwarebytes.com
   
   

   Kali365 phishing kit bypasses MFA and steals Microsoft logins | Malwarebytes

   The FBI has warned that attackers are using a new phishing kit to gain long-term access to Microsoft Outlook, Teams, and OneDrive accounts.

   www.malwarebytes.com
2. Related coverage: cyberscoop.com
   
   

   FBI warns about fast-growing phishing kit targeting Microsoft 365 users | CyberScoop

   Kali365, which was first observed in April, abuses legitimate Microsoft device authorization pages to grant persistent access to cybercriminal-controlled applications.

   cyberscoop.com
3. Related coverage: cybersecuritydive.com
   
   

   FBI warns about PhaaS platform used to access Microsoft 365 environments | Cybersecurity Dive

   Device code phishing enabled hackers to bypass multifactor authentication without credentials.

   www.cybersecuritydive.com
4. Related coverage: brightnexus.com
   
   

   FBI Warns of Kali365 Phishing Platform Targeting Microsoft 365 Accounts | Bright Nexus

   SeverityHigh Detail The Federal Bureau of Investigation (FBI) has issued a warning regarding an emerging phishing-as-a-service (PhaaS) platform known as “Kali36

   www.brightnexus.com
5. Related coverage: bvainc.com
   

   New FBI Alert: Kali365 Phishing Kit Bypasses Microsoft 365 MFA - BVA Technology Services

   The FBI’s Internet Crime Complaint Center (IC3) recently issued a Public Service Announcement (May 21, 2026) warning organizations about a rapidly emerging threat targeting Microsoft 365 environments: Kali365, a Phishing-as-a-Service (PhaaS) platform designed to bypass traditional security...

   www.bvainc.com
6. Related coverage: gblock.app
   
   

   FBI Warns: Kali365 PhaaS Bypasses Microsoft 365 MFA Via Device Code

   The FBI just warned that Kali365 is the first Microsoft 365 phishing service that bypasses MFA without ever asking for a password—victims complete the real Microsoft login flow themselves and hand over OAuth tokens that survive every additional check.

   www.gblock.app
7. Related coverage: itpro.com
   
   

   FBI warns Microsoft 365 users about another phishing as a service attack – here's how to avoid it | IT Pro

   Kali365 platform is serious enough to garner a warning from the FBI

   www.itpro.com
8. Related coverage: kiplinger.com
   
   

   New Scam Targets Microsoft Users, FBI Warns. Here's How to Protect Yourself | Kiplinger

   This phishing scam doesn't rely on a fake website. Instead, it tricks users into approving access themselves.

   www.kiplinger.com
9. Related coverage: as.com
   
   https://as.com/us/actualidad/fbi-emite-advertencia-de-seguridad-para-usuarios-de-teams-outlook-y-onedrive-esto-es-lo-que-deben-hacer-f202606-n
10. Related coverage: labs.cloudsecurityalliance.org
    
    

    OAuth Device Code Phishing Hits 340+ Microsoft 365 Organizations

    PDF document

    labs.cloudsecurityalliance.org