If you use Microsoft 365 for work or personal email, the FBI has issued an urgent warning you cannot afford to ignore. A newly discovered phishing platform called Kali365 is actively targeting Microsoft 365 users — and what makes it especially alarming is that it does not need your password. It bypasses multi-factor authentication entirely by stealing something more valuable: your access tokens.
What Is the FBI Microsoft 365 Phishing Alert About?
On May 21, 2026, the FBI’s Internet Crime Complaint Center (IC3) issued Public Service Announcement number I-052126, formally warning the public about an emerging Phishing-as-a-Service (PhaaS) platform called Kali365. First detected in April 2026, the platform has been primarily distributed through the messaging app Telegram, enabling cybercriminals to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols — all without ever intercepting a user’s login credentials.
The FBI’s alert covers users of Microsoft’s most popular workplace tools: Outlook, Teams, OneDrive, and SharePoint. If you or your organization relies on any of these services, your account could be a target.
What Is Kali365 and How Does It Work?
Kali365 is a subscription-based phishing toolkit sold to cybercriminals, reportedly available for as little as $250 per month or $2,000 per year. It operates much like a legitimate software-as-a-service (SaaS) product — except its sole purpose is breaking into Microsoft 365 accounts at scale.
What makes Kali365 uniquely dangerous is its use of a technique called device code phishing, also known as OAuth token theft. Rather than sending victims to a fake Microsoft login page that would set off alarm bells, attackers leverage Microsoft’s own legitimate authentication infrastructure. Here is how the attack unfolds step by step:
Step 1 — The Lure: The victim receives a phishing email impersonating a trusted cloud productivity or document-sharing service. The email contains a short device authentication code and instructions to visit a legitimate Microsoft verification page.
Step 2 — The Authorization: The victim navigates to the genuine Microsoft page at microsoft.com — a real domain with a valid SSL certificate — and enters the code. Nothing appears suspicious because nothing about the page is fake.
Step 3 — Token Theft: By entering that code, the victim unknowingly authorizes the attacker’s device to access their Microsoft 365 account. The attacker then captures OAuth access and refresh tokens.
Step 4 — Persistent Access: With those tokens, the attacker gains full access to the victim’s Outlook email, Teams messages, OneDrive files, and SharePoint data — without ever needing a password or being challenged by MFA again.
Security researchers documented hundreds of Kali365-enabled attacks in April 2026 alone, targeting organizations across North America, Europe, the Middle East, and Africa. A more recent variant of this activity was also observed as recently as June 2, 2026, confirming the threat remains active.
Why MFA Is No Longer Enough Against This Attack
For years, security professionals have preached that enabling multi-factor authentication is the single most important step users can take to protect their accounts. Kali365 fundamentally breaks that assumption.
Because the attack exploits Microsoft’s legitimate device code authentication flow — not a fake login page — MFA does not stop it. The victim completes a real authentication process on a real Microsoft domain. The MFA prompt, if triggered, is genuine. But the session being authorized still belongs to the attacker.
The FBI notes that Kali365 provides less-technical attackers with access to AI-generated phishing lures, automated campaign templates, real-time tracking dashboards for individual targets, and OAuth token capture capabilities. This dramatically lowers the barrier to entry, meaning even inexperienced cybercriminals can now launch sophisticated, MFA-bypassing attacks against enterprises and individuals alike.
Traditional security awareness training also falls short here. Employees are typically trained to check that a URL is legitimate before entering credentials — but in a Kali365 attack, the URL is legitimate. It is a genuine Microsoft domain. The suspicious moment is the instruction to enter a code provided by an unsolicited email or document link, not the website itself.
Who Is Being Targeted?
The FBI’s warning applies broadly, but security researchers tracking active Kali365 campaigns have identified specific industries being hit hardest. According to research by Arctic Wolf, campaigns originating primarily from a single North American IP address have targeted organizations in manufacturing, education, insurance, financial services, healthcare, and government sectors.
A parallel device code phishing campaign tracked by cybersecurity firm Huntress, active since February 2026, targeted Microsoft 365 identities across more than 340 organizations in the United States, Canada, Australia, New Zealand, and Germany.
Malwarebytes has also stressed that this is not purely a business problem. Any individual with an Outlook, OneDrive, or Microsoft 365 Personal subscription is equally at risk if tricked into entering a device code provided by an attacker.
Red Flags to Watch For
While Kali365 attacks are designed to appear completely legitimate, there are warning signs users and IT teams should watch for:
- An unsolicited email asking you to visit a Microsoft device sign-in page and enter a short code
- Unexpected instructions to authenticate or verify your account through a device code flow — especially when you did not initiate the process yourself
- Emails impersonating cloud services like SharePoint, OneDrive, or document-sharing platforms that contain unusual authentication steps
- Unfamiliar devices appearing in your Microsoft 365 account’s active sessions
- Unusual sign-in locations or unexpected access to Outlook, Teams, or OneDrive that you did not initiate
How to Protect Yourself: FBI-Recommended Steps
The FBI and cybersecurity experts have outlined several specific measures individuals and organizations can take to defend against Kali365-style attacks:
Block or Restrict Device Code Flow: The FBI’s top recommendation is to create a Conditional Access policy in Microsoft Entra ID (formerly Azure Active Directory) that blocks device code flow globally. Organizations should audit existing device code flow usage first to identify any legitimate business dependencies before applying the policy.
Exclude Emergency Access Accounts: When blocking device code flow, emergency access accounts should be excluded to prevent accidental organizational lockouts.
Block Authentication Transfer Policies: Prevent users from transferring an authenticated session from a computer to a mobile device.
Deploy Phishing-Resistant MFA: Move beyond standard app-based MFA to hardware security keys (such as FIDO2 keys), which tie authentication to a physical device and cannot be hijacked through OAuth token capture.
Monitor for Suspicious Session Activity: Security teams should actively watch for unfamiliar devices, unusual sign-in locations, unexpected active sessions, and abnormal access patterns across Outlook, Teams, OneDrive, and SharePoint.
Train Users on the New Threat: Update security awareness training to specifically address device code phishing. Employees must understand that a legitimate Microsoft URL does not guarantee a safe authentication request.
Report Incidents to IC3: If you believe you or your organization has been targeted by Kali365 or a similar device code phishing campaign, the FBI encourages victims to file a complaint at www.ic3.gov. Include any phishing emails, suspicious login details such as IP addresses and timestamps, and information about any unauthorized devices or active sessions added to the account.
The Bigger Picture: A Shift in How Phishing Works
The FBI’s Kali365 alert reflects a broader evolution in the cybercriminal landscape. Attackers are no longer primarily trying to steal your password — they are targeting the authenticated session itself. By capturing OAuth tokens, they bypass the need for credentials entirely and gain access that can persist until the token expires or is manually revoked.
Kali365 is not alone in this space. The FBI alert coincides with emerging research on other PhaaS platforms using similar methods. EvilTokens, another Phishing-as-a-Service platform also distributed through Telegram, has been identified by security researchers as operating along similar lines. The convergence of AI-generated lures, automated templates, and token-theft techniques suggests this category of attack will only grow more sophisticated in the months ahead.
The bottom line: organizations that rely solely on passwords and standard MFA are no longer adequately protected against the current generation of phishing threats. The FBI’s Microsoft 365 phishing alert is a direct call to action — upgrade your identity controls, restrict device code flow, and assume that the authentication page your users see could be part of a carefully constructed attack even when every element of it looks real.
Has your organization taken steps to block device code phishing? Drop a comment below to share what’s working — or follow us for the latest cybersecurity alerts as they break.