FBI warns of Kali365 phishing kit that accesses Microsoft 365 accounts – no password required
So, enable multi-factor authentication. You’ve taught your employees to never type their passwords into awkward-looking login pages. Are your Microsoft 365 accounts safe now?
Well, think again.
The FBI has issued an advisory about a newly emerging phishing platform that can hijack Microsoft 365 accounts without stealing a password. And it doesn’t have the difficulty of passing the MFA while it’s at it.
Kali365 is a scam subscription service that was first spotted in April 2026, and is heavily promoted through Telegram.
It’s a turnkey toolkit that allows even non-technical fraudsters to run phishing campaigns, reportedly costing as little as US $250 per month or $2,000 per year.
Kali365 subscribers have access to AI-generated phishing profiles, automated campaign templates, real-time dashboards for target tracking, and the ability to capture OAuth tokens. In other words, it’s everything even a complete novice would need to launch a phishing attack.
And the threat is not an afterthought. Security researchers documented hundreds of Kali365 attacks in April alone, targeting organizations across North America and Europe.
A common feature in the attack? The victim had planted an MFA.
What makes Kali365 so successful I suspect is that it doesn’t need to trick victims with a fake login page. Instead, it abuses an official Microsoft feature.
If you’ve ever signed up to a streaming service like Amazon Prime or Netflix on a smart TV you’ve probably been prompted to type a short code into a website on your phone.
If you did that, you used “device code flow.” That’s the technology that allows a gadget to lend an authenticated session to another device.
The Kali365 attack works the same way. You receive a phishing email disguised as a message from a trusted cloud service, asking you to visit Microsoft’s verification page and enter a code.
going to the original Microsoft page and type the code. You may think that you have done it completely safely.
After all, it was a real Microsoft domain, your password manager recognized it correctly, the site’s SSL certificate is valid, and there are no typos in the URL.
However, what you have actually done is approve the for the attacker access device yours account.
Microsoft gives the hacker an OAuth token – proof that you’re logged in – to give them unlimited access to your Microsoft Outlook, Groups, and OneDrive without a password and no additional prompts to enter an MFA code.
In short, there is no fake website to see, and no misspelled domain name. A single stolen token can open other cloud applications, potentially turning one careless click into a wider security incident.
The thing to remember here is that MFA prevents attackers from getting in like you. It does nothing to stop you to provide access to an attacker with a workflow that Microsoft deems perfectly legitimate.
Criminals are never asked to respond to an MFA challenge, because as far as Microsoft is concerned the victim already has one.
And that’s why the FBI’s top recommendation is to block the flow of device code, with a conditional access policy on the Microsoft Entra ID where appropriate. You’ll probably want to remove emergency access accounts so you don’t accidentally lock yourself out.
And it’s always a good idea to issue a phishing-resistant MFA, such as hardware authentication keys, which include mobile device authentication and are much harder to circumvent.
The FBI’s Internet Crime Complaint Center encourages victims to report incidents to it through the website at ic3.gov.
