Kali365 Phishing Service Targets Microsoft 365 Accounts

The FBI Has a New Warning About Your Microsoft 365 Accounts
The FBI has issued a public service announcement about Kali365, a phishing-as-a-service (PhaaS) platform purpose-built to hijack Microsoft 365 accounts. What makes Kali365 dangerous is not that it steals passwords or intercepts multi-factor authentication codes. It does neither. Instead, it abuses a legitimate Microsoft authentication feature to walk away with valid session tokens that grant full account access, without ever solving an MFA challenge.
According to the FBI, Kali365 first emerged in April 2026 and is sold through Telegram channels to cybercriminals looking for an easier way into corporate Microsoft environments. The platform packages advanced attack capabilities into a point-and-click service, putting techniques that once required real skill into the hands of low-effort attackers. For defenders, that combination of accessibility and MFA bypass is exactly what makes this threat worth taking seriously.
How Device Code Phishing Works
Kali365 is built around a technique called device code phishing, which abuses Microsoft's legitimate OAuth 2.0 Device Authorization grant flow. This authentication method exists for a good reason: it lets devices with limited input capabilities — smart TVs, conference room systems, streaming boxes, printers, and other IoT hardware — authenticate by having a user enter a short code on a separate device at Microsoft's official portal, microsoft.com/devicelogin.
Attackers turn that convenience against the user. Here is the typical flow:
- The attacker generates a code — Rather than waiting for a victim, the threat actor initiates the device authorization process themselves to produce a legitimate device code.
- The lure arrives — Through phishing emails and social engineering, the victim is directed to Microsoft's real device login page and prompted to enter the code, often under the guise of a meeting invite, a security check, or a required sign-in.
- The victim completes MFA — Because the victim is on Microsoft's genuine portal, everything looks correct. They enter the code and complete their normal multi-factor authentication.
- Microsoft issues a token to the attacker — Once the victim authorizes the request, Microsoft hands the threat actor a valid OAuth access token that grants full access to the account — no further MFA required.
The genius, and the danger, of this approach is that the victim authenticates on the real Microsoft domain. There is no spoofed login page to spot, no fake URL to scrutinize. The deception happens entirely in the framing of why the user is being asked to enter a code.
One Token, Total Access
The moment that access token is issued, the attacker inherits everything the victim's account can reach. In a single-sign-on environment, that rarely stops at email. It can extend to Microsoft 365, Salesforce, and any other cloud SaaS platform tied to the same identity.
Security researchers at Arctic Wolf, who reported on Kali365 activity in April 2026 after observing a worldwide campaign, documented exactly how attackers exploit that access once inside:
- Mailbox compromise — Attackers gained access to victim mailboxes and used them as a foothold for further attacks.
- Malicious inbox rules — They created hidden inbox rules designed to conceal their activity and quietly intercept or redirect messages.
- Rogue device registration — In some cases, attackers registered new devices in the victim's Microsoft environment, extending their persistence and reach into the breached network.
This pattern is not unique to Kali365. In February 2026, extortion crews including the ShinyHunters group were reported targeting Microsoft Entra accounts using device-code and voice phishing — a sign that this technique has moved firmly into the mainstream of real-world attacks.
Cybercrime With a Business Model
What elevates Kali365 from a clever trick to a systemic threat is its structure. Arctic Wolf found that it operates like a business, with admins managing product development, resellers promoting the service to other criminals, and affiliates running the actual phishing campaigns. It is cybercrime organized along the same lines as a legitimate software company.
The FBI warns that the platform gives even low-skilled attackers access to advanced capabilities, including:
- AI-generated phishing lures that produce convincing, varied messaging at scale
- Automated campaign templates that remove the manual effort from launching attacks
- Real-time victim-tracking dashboards that let operators watch campaigns unfold live
- Token-capture functionality that harvests access the instant a victim authorizes a request
Kali365 also offers two distinct attack modes. The first is the device code phishing described above. The second, named "Cookie Link," is an adversary-in-the-middle (AitM) mode that proxies victims through attacker-controlled infrastructure. Cookie Link captures authenticated browser sessions, session cookies, and tokens after the target logs in and completes their MFA challenge — a second path to the same prize of a valid, MFA-bypassing session.
Why This Slips Past Your Existing Defenses
Most organizations have invested heavily in MFA precisely to stop account takeover. Device code phishing is engineered to render that investment moot:
- MFA is completed, not bypassed at the protocol level — The victim genuinely authenticates, so there is no failed login or anomalous MFA prompt to flag.
- The login happens on Microsoft's real domain — URL reputation tools and safe-browsing filters have nothing malicious to block.
- Tokens look legitimate — The resulting session is a valid OAuth token issued by Microsoft itself.
- No malware, no payload — There is nothing for endpoint protection to detonate or sandbox.
The decisive control point is the same as it is for nearly every social engineering attack: the human being asked to enter the code. If that person recognizes that they were not the one who initiated a device sign-in, the entire chain collapses. If they do not, no downstream technology is well positioned to intervene.
What the FBI Recommends
The FBI's PSA includes concrete technical guidance for organizations. Security teams should prioritize the following controls:
- Restrict or block device code authentication flows using Conditional Access policies wherever the business does not genuinely need them.
- Audit existing device code usage to understand where and why the flow is being used in your environment today.
- Block authentication transfer policies that allow authentication sessions to move between devices.
- Report incidents to the Internet Crime Complaint Center (IC3), and preserve phishing emails, suspicious login records, and any unauthorized device registrations as evidence.
These technical controls are essential. But Conditional Access policies cannot cover every scenario, and device code authentication remains a legitimate feature that many organizations rely on. Wherever the flow stays enabled, the human who receives the lure becomes the last line of defense.
Training Employees to Recognize Device Code Phishing
Defending against this technique requires teaching employees a small number of specific, recognizable behaviors — rules that hold up no matter how legitimate the surrounding email or portal appears.
Rule 1: You Initiate Sign-Ins, Not the Other Way Around
Legitimate device sign-ins happen because you are setting up a device. If an email, message, or caller asks you to enter a code at microsoft.com/devicelogin for a sign-in you did not start, that is a red flag — even though the page itself is genuinely Microsoft's.
Rule 2: A Real Microsoft Page Does Not Make a Request Legitimate
Employees are trained to check for fake login pages. Device code phishing defeats that instinct by using the real one. The lesson must evolve: the safety of a request depends on who asked and why, not solely on whether the domain is authentic.
Rule 3: Treat Unexpected "Enter This Code" Requests as Suspicious
Any unsolicited prompt to type a code to "verify," "approve," or "complete" a sign-in should be paused and verified through a known channel — your IT team or the service's official app — before acting.
Rule 4: Report It, Don't Just Ignore It
An employee who recognizes and reports a device code lure gives security teams early warning of an active campaign targeting the organization. Reporting should be as easy as the "report phish" button most teams already use for suspicious emails.
How empowsec Helps Build Resilience to Token Theft
The attacks employees face have moved beyond fake login pages and malicious attachments, and security awareness training has to keep pace. empowsec is designed to prepare workforces for exactly the kind of identity-layer social engineering that platforms like Kali365 industrialize.
- Realistic phishing simulations that mirror current lure patterns, including OAuth and device-code-style requests, so employees practice spotting them before a real campaign arrives.
- Targeted training modules on MFA bypass techniques, token theft, adversary-in-the-middle attacks, and the specific tactics being used in live campaigns right now.
- Immediate, contextual debriefs when an employee falls for a simulation, explaining exactly what they missed and how the real-world equivalent would have played out.
- Behavioral analytics that show security leaders which teams, roles, and regions are most exposed, so training investment follows real risk.
- Continuous reinforcement through short, regular exercises that build the instinctive caution a single annual training session cannot produce.
For small businesses, the same platform delivers enterprise-grade training without the enterprise complexity — turning security awareness into a practical operational control rather than a compliance checkbox.
Key Takeaways
Kali365 is a clear signal of where account takeover is heading. When MFA bypass, AI-generated lures, and real-time token capture are bundled into a Telegram-distributed service, the barrier to compromising Microsoft 365 accounts collapses. Here is what matters for defenders:
- MFA is necessary but not sufficient — Device code phishing produces valid, MFA-completed sessions, so additional layers of defense are required.
- The login page being real is the whole trick — Train employees to evaluate requests by origin and intent, not just by whether the domain looks correct.
- Lock down the device code flow — Use Conditional Access to restrict or block device code authentication wherever the business does not need it.
- The human is the last line of defense — Where the flow stays enabled, an employee who recognizes an unexpected code request stops the attack cold.
- Simulation is how the reflex sticks — Reading about device code phishing builds awareness; practicing against a realistic simulation builds the instinct that actually prevents the breach.
Attackers have turned MFA bypass into a productized service. The most effective response is an equally systematic approach to preparing the people they are trying to manipulate. With empowsec, enterprises and small businesses can give their workforce the realistic practice and immediate feedback needed to keep pace with threats that evolve as quickly as Kali365 does.


