The FBI has issued a stark warning to Microsoft users regarding a sophisticated new phishing scheme, dubbed Kali365, that bypasses traditional password theft and can even circumvent multi-factor authentication (MFA). This emerging threat targets Microsoft 365 accounts, encompassing services like Outlook, Teams, and OneDrive, by exploiting a legitimate sign-in process to gain unauthorized access.
Understanding the Kali365 Phishing-as-a-Service Platform
Kali365 operates as a “phishing-as-a-service” platform, meaning cybercriminals can subscribe to its tools and ready-made attack kits. Since its emergence in April 2026, primarily spreading through Telegram, the platform has equipped attackers with AI-generated phishing messages, automated campaign templates, and sophisticated tracking dashboards. Crucially, it includes tools designed to capture OAuth tokens.
OAuth tokens function as digital access keys, enabling applications to maintain connections to a user’s account without requiring repeated password entry. While beneficial for legitimate applications, these tokens become a significant security risk when stolen by malicious actors. The FBI notes that this method is particularly concerning because it doesn’t rely on stealing a user’s password.
How Kali365 Circumvents Multi-Factor Authentication
Unlike conventional phishing attacks that aim to steal login credentials, Kali365 employs a more insidious strategy by abusing Microsoft’s device code login process. This is the same mechanism users might encounter when signing into a streaming service on a smart TV, where a code is displayed on one device and entered on another to authenticate the session.
The scam is initiated when an attacker starts a sign-in process from their own device and then tricks the victim into approving it. This often begins with a phishing email, impersonating a trusted cloud service or document-sharing tool. The email contains a code and directs the recipient to a genuine Microsoft verification page. The legitimacy of the web address and the familiar appearance of the Microsoft page can lull users into a false sense of security, potentially bypassing password managers and user suspicion.
Once the victim enters the provided code on the legitimate Microsoft page, they inadvertently authorize the attacker’s device. This action allows the attacker to capture OAuth access and refresh tokens. With these tokens, the attacker can gain access to Microsoft 365 services like Outlook, Teams, and OneDrive without ever needing the victim’s password or triggering a subsequent MFA prompt.
The Threat to Small Businesses
While any Microsoft 365 user is a potential target, small businesses are particularly vulnerable. A compromised work account can contain a wealth of sensitive information, including email correspondence, financial documents, employee details, customer contacts, and internal chat logs. An attacker gaining access through a single compromised account can leverage this information to impersonate trusted individuals.
For instance, an attacker who gains access to an Outlook account can study the victim’s writing style, send emails from their legitimate address, and instruct colleagues to pay fraudulent invoices, share sensitive files, or reset passwords. This makes the scam highly convincing, as communications may appear to originate from a known and trusted source.
The Attack Sequence and Red Flags
The FBI outlines the attack as follows:
- Phishing Email: The victim receives an email masquerading as a communication from a trusted productivity or file-sharing service.
- Device Code Prompt: The email provides a device code and instructs the victim to enter it on a legitimate Microsoft verification page.
- Unwitting Authorization: The victim enters the code, thereby approving the attacker’s device without realizing it.
- Token Capture: The attacker obtains OAuth access and refresh tokens.
- Account Compromise: The attacker accesses Microsoft 365 services without needing the victim’s password.
Key warning signs to watch for include:
- Unexpected Device Code Requests: Be highly suspicious of any email prompting you to enter a Microsoft device code for a file, voicemail, invoice, or shared document you did not request.
- Sense of Urgency: Scammers often create a false sense of urgency, claiming documents will expire or accounts require immediate verification.
- Lack of Context: If you were not actively initiating a sign-in process, do not enter a device code. This simple habit can thwart the attack.
Microsoft’s Response and User Protection Measures
Microsoft has acknowledged the FBI’s warning and advises customers to adhere to both the FBI’s recommendations and Microsoft’s own security best practices. The company stated its commitment to disrupting cybercriminal operations, citing recent actions against phishing ecosystems like Fake ONNX, RaccoonO365, and Tycoon 2FA as part of its broader efforts.
To safeguard Microsoft 365 accounts against Kali365 and similar threats, users and organizations are advised to implement the following measures:
For Individual Users:
- Verify Device Code Requests: Never enter a Microsoft device code unless you personally initiated the sign-in process. Treat codes received via email, Teams, or unexpected links with extreme caution.
- Direct Navigation: Avoid clicking links in unsolicited messages. Instead, open your browser and navigate directly to the Microsoft 365 portal or your organization’s login page.
- Monitor Account Activity: Regularly review recent sign-ins, connected devices, and active sessions. Investigate and take immediate action on any unrecognized entries.
- Revoke Suspicious Sessions: If you suspect you may have mistakenly entered a code, sign out of all sessions, revoke access for any suspicious applications, change your password, and notify your IT department.
- Maintain MFA: Do not disable multi-factor authentication. While this scam highlights the need for vigilance with approval prompts and device codes, MFA remains a critical layer of defense against many other account attacks.
- Use Robust Security Software: Employ strong antivirus and anti-malware software to help detect and block malicious links and phishing pages.
- Consider Data Removal Services: Reducing your online footprint by using data removal services can limit the personal information available to scammers for crafting convincing phishing messages.
For Organizations:
- Employee Training: Educate employees about the specific risks of device-code scams. While many are aware of password security, device code threats are less understood.
- Restrict Device Code Flow: If not essential for business operations, consider implementing conditional access policies to block the device code sign-in flow for most users.
- Audit Usage Before Blocking: Before restricting device code flow, audit its current usage to identify legitimate business needs and avoid disrupting critical processes.
- Block Authentication Transfer Policies: Implement policies to prevent the transfer of authentication from computers to mobile devices.
- Protect Emergency Access: Ensure that emergency access accounts are excluded from restrictions if necessary to prevent account lockouts, with careful management by IT or security teams.
- Report Incidents: If targeted or compromised, report the attack to the FBI’s Internet Crime Complaint Center (IC3.gov), providing as much detail as possible, including phishing emails, headers, and login information.
Immediate Steps if a Code Was Entered
If you realize you have entered a device code by mistake, act swiftly. Immediately sign out of all sessions, revoke any suspicious application access, change your password, and alert your IT or security team. Prompt action can significantly limit the damage an attacker can inflict.
The Kali365 scam underscores the evolving nature of cyber threats, where attackers leverage legitimate processes and advanced techniques to compromise accounts. Vigilance, particularly around unexpected authentication requests, remains paramount in protecting sensitive digital assets.
