FBI Warns of Kali365 Phishing Kit Targeting Microsoft 365 Users

Summary

The FBI has issued a public service announcement warning about Kali365, a phishing-as-a-service platform that emerged in April 2026 and targets Microsoft 365 users by abusing OAuth device code authentication to steal session tokens and bypass multi-factor authentication (MFA) [1]. This platform, distributed via Telegram channels, provides cyber threat actors with AI-generated phishing lures and automated campaign templates, allowing them to capture OAuth tokens without intercepting user credentials. As reported by BleepingComputer, Infosecurity Magazine, Cyberscoop, and Malwarebytes Labs, Kali365 grants cybercriminals persistent access to targeted individuals’ Microsoft 365 environments.

What Happened

In April 2026, the Kali365 phishing-as-a-service platform first emerged, and by February, it was being distributed via Telegram channels, as reported by Infosecurity Magazine. The FBI began warning about Kali365 in early May 2026 and published an advisory on the attack chain on May 21, 2026. The platform uses device code phishing, which exploits Microsoft’s legitimate OAuth 2.0 Device Authorization grant flow, to gain access to Microsoft 365 accounts. This flow is designed to allow users to authenticate with devices that do not have a browser, such as smart TVs, conference room systems, streaming devices, printers, and IoT devices.

Technical Details

Kali365 abuses OAuth device code authentication to steal session tokens and bypass MFA. The platform uses device code phishing to exploit the OAuth 2.0 Device Authorization grant flow, which allows users to authenticate with devices that do not have a browser. The OAuth 2.0 Device Authorization grant flow is a standardized protocol that enables devices with limited input capabilities to authenticate with online services. It works by generating a device code that the user must enter on a separate device with a browser, allowing the device to authenticate without directly handling user credentials. The AI-generated phishing lures and automated campaign templates provided by Kali365 make it easy for technically low-level individuals to capture OAuth tokens without intercepting user credentials. However, no specific CVSS scores are available for this vulnerability.

Impact

Microsoft 365 users, including organizations and individuals, are affected by the Kali365 phishing-as-a-service platform. Specifically, users of Microsoft Entra and Microsoft 365 accounts are at risk, as the platform uses device code phishing to gain access to these accounts. The scope of the attack is significant, as Kali365 grants cybercriminals persistent access to targeted individuals’ Microsoft 365 environments, allowing them to steal sensitive data and disrupt business operations.

What To Do Now

1. Implement multi-factor authentication (MFA) with phishing-resistant methods: Use FIDO2 or Smart Cards to add an extra layer of security to your Microsoft 365 accounts. For example, you can use a FIDO2 security key like YubiKey or a Smart Card like a PIV card to authenticate users.
2. Monitor Microsoft 365 account activity: Regularly review device code authentications for suspicious activity, such as multiple login attempts from different locations or devices. Use tools like Microsoft Cloud App Security or Azure Active Directory (Azure AD) to monitor and analyze login activity.
3. Use Microsoft’s Conditional Access policies: Restrict access to Microsoft 365 accounts based on user and device attributes, such as location, device type, or user group membership. For example, you can create a policy that requires MFA for users accessing Microsoft 365 from outside the corporate network.
4. Educate users about device code phishing: Teach users how to identify legitimate Microsoft device code login portals and how to report suspicious activity. Provide examples of legitimate device code login portals, such as the Microsoft Azure AD device code page, and explain how to verify the authenticity of these portals.
5. Use a Security Information and Event Management (SIEM) system: Monitor and respond to security incidents in real-time using a SIEM system like Microsoft Sentinel or Splunk. Configure the SIEM system to detect and alert on suspicious device code authentication activity.
6. Implement a Zero Trust security model: Limit access to Microsoft 365 accounts and data based on user and device attributes, such as location, device type, or user group membership. Use tools like Microsoft Azure AD or Cisco Duo to implement a Zero Trust security model.

Timeline

Date	Event
April 2026	Kali365 phishing-as-a-service platform emerges
February 2026	Kali365 distribution via Telegram channels reported by Infosecurity Magazine
Early May 2026	FBI begins warning about Kali365
May 21, 2026	FBI publishes advisory on Kali365 attack chain

Sources

1. https://www.bleepingcomputer.com/news/security/fbi-warns-of-kali365-phishing-service-targeting-microsoft-365-accounts/
2. https://www.infosecurity-magazine.com/news/fbi-kali365-phishing-kit-m365/
3. https://cyberscoop.com/fbi-phishing-kali365-microsoft365-access-tokens/
4. https://www.malwarebytes.com/blog/scams/2026/05/kali365-phishing-kit-bypasses-mfa-and-steals-microsoft-logins
5. https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-kali365-phishing-kit-breaks-microsoft-365-accounts-no-password-required