FBI Warns Kali365 Hijacks Microsoft 365 Tokens, Bypassing MFA via Device Codes
Updated
Updated · Infosecurity Magazine · May 25
FBI Warns Kali365 Hijacks Microsoft 365 Tokens, Bypassing MFA via Device Codes
10 articles · Updated · Infosecurity Magazine · May 25
Kali365, first detected in April 2026, lets attackers steal Microsoft 365 OAuth access and refresh tokens and keep persistent access without capturing passwords.
The FBI said the phishing kit sends emails posing as trusted cloud services, then tricks victims into entering an attacker-supplied device code on a legitimate Microsoft verification page.
That step authorizes the attacker’s device, allowing access to Outlook, Teams and OneDrive without further MFA challenges; the platform is being distributed mainly through Telegram.
The bureau urged organizations to restrict or block device code flow, apply conditional access policies, block authentication transfer from computers to mobile devices, and exempt emergency access accounts from lockouts.
Is your multi-factor authentication making you an easier target for today's AI hackers?
How is artificial intelligence turning simple phishing scams into automated corporate fraud engines?
The Rise of Kali365: FBI Alert on Industrialized Phishing-as-a-Service Targeting Microsoft 365 and MFA
Overview
In May 2026, the FBI issued a public warning about Kali365, a rapidly emerging Phishing-as-a-Service (PhaaS) platform that poses a major threat to organizations using Microsoft 365. Kali365 provides cybercriminals with easy-to-use tools, including pre-designed email templates and landing pages, allowing even those with minimal technical skills to launch effective phishing campaigns. The platform is specifically designed to breach Microsoft 365 accounts by bypassing multi-factor authentication (MFA) through the theft of OAuth tokens. This makes it possible for attackers to capture login credentials and gain unauthorized access, highlighting a new level of risk for businesses.