FBI warns of Kali365 phishing service targeting Microsoft 365 accounts

The FBI has issued a warning regarding the Kali365 phishing-as-a-service platform (PhaaS), which is leveraged to hijack Microsoft 365 accounts by exploiting OAuth device code authentication. This method facilitates the theft of session tokens and allows attackers to bypass multi-factor authentication (MFA).

According to the FBI's Public Service Announcement (PSA), Kali365 surfaced in April 2026 and is distributed via Telegram channels aimed at cybercriminals seeking streamlined methods to compromise Microsoft 365 accounts without the need to steal passwords or intercept MFA codes.

The platform employs a device code phishing strategy, which has gained traction as an effective technique. This approach exploits Microsoft's legitimate OAuth 2.0 Device Authorization grant flow to gain access to Microsoft Entra and Microsoft 365 accounts.

This authentication method was designed to enable devices with limited input capabilities, such as smart TVs, conference room systems, streaming devices, printers, and IoT devices, to authenticate through another device using a short code at Microsoft’s device code login portal.

How the Attack Works

In these cyberattacks, threat actors initiate the device authorization process to generate a code, subsequently deceiving victims into entering it on Microsoft’s login page through phishing and social engineering tactics.

Once a victim inputs the code and completes MFA, Microsoft issues an OAuth access token, granting the attacker full access to the victim's account without necessitating any MFA challenges.

As a result, threat actors gain complete access to all applications that the user typically accesses via their single sign-on account, including Microsoft 365, Salesforce, and other cloud-based SaaS platforms, enabling them to exfiltrate data.

Kali365 Capabilities

The FBI warns that Kali365 equips even less experienced attackers with powerful phishing capabilities, including AI-generated phishing lures, automated campaign templates, real-time victim-tracking dashboards, and token-capture functionalities.

Security researchers from Arctic Wolf reported on Kali365's activities in April after observing a widespread campaign targeting organizations globally.

These researchers indicated that the campaigns primarily targeted Microsoft 365 environments through phishing emails that directed victims to Microsoft’s device code login portal, where they inadvertently granted attackers access to their accounts.

The resulting breaches provided hackers with access to victims' mailboxes, enabling them to create malicious inbox rules designed to conceal their activities.

In several instances, attackers registered new devices within victims’ Microsoft environments, further extending their foothold in the compromised networks.

Business Model

Arctic Wolf’s research uncovered that Kali365 operates as a structured business, featuring administrators overseeing product development, resellers promoting the service to other cybercriminals, and affiliates executing phishing attacks.

The platform offers two distinct modes of attack: the first involves device code phishing, while the second is an adversary-in-the-middle (AitM) mode titled "Cookie Link."

The Cookie Link mode proxies victims through infrastructure controlled by attackers, capturing authenticated browser sessions, session cookies, and tokens after victims log in and complete MFA challenges.

FBI Recommendations

The FBI advises organizations to restrict or completely block device code authentication flows utilizing Conditional Access policies wherever feasible. It also recommends auditing existing device code usage and prohibiting authentication transfer policies that allow sessions to be transferred between devices.

Additionally, the agency urges organizations affected by these incidents to report them to the Internet Crime Complaint Center and preserve phishing emails, suspicious login credentials, and any unauthorized device registrations.

Broader Threat Landscape

Device code phishing has become increasingly prevalent in 2026, with various threat actors and platforms adopting it as part of their phishing campaigns and attacks.

This trend includes the EvilTokens PhaaS and Tycoon2FA, which also utilize device code phishing techniques to compromise Microsoft 365 and Entra accounts.