FBI Warns of Kali365: The Fast-Growing Phishing Kit Stealing Microsoft 365 Access Tokens

Executive Summary

The FBI’s warning about Kali365—a phishing-as-a-service platform that lets even low-skilled attackers hijack Microsoft 365 accounts—couldn’t be more timely. By exploiting legitimate OAuth device code authentication, Kali365 bypasses multi-factor authentication entirely… and that’s a game-changer. It grants persistent access to email, files, and cloud services without needing passwords.

What Happened

What’s behind this sudden surge in phishing attacks? On May 21, 2026, the Federal Bureau of Investigation published a public service announcement alerting organizations to the rapid spread of Kali365. First detected in April 2026 by researchers at Arctic Wolf Labs, this platform has quickly become one of the most prominent device-code phishing tools in the wild. It’s distributed primarily through Telegram channels and marketed to cybercriminals as a turnkey solution for compromising Microsoft 365 and Entra identities. The fact that Kali365 represents a significant evolution in the phishing landscape is undeniable. Traditional phishing kits aim to harvest usernames, passwords, and MFA codes—but Kali365 skips that entire process. Instead, it tricks victims into authorizing an attacker-controlled device through Microsoft’s legitimate device login portal… after which the attacker receives OAuth tokens that grant full, persistent access to the victim’s account. And because the attack uses real Microsoft URLs and pages, it’s incredibly difficult to detect.

Technical Details

So, how does Kali365 operate? It’s a subscription-based model: affiliates pay $250 for 30 days or $2,000 per year, according to Arctic Wolf research. The platform functions like a criminal business, with administrators, resellers, and affiliates conducting campaigns. There are two attack modes:

• Device Code Phishing: the attacker initiates the OAuth 2.0 Device Authorization grant flow, generating a short code. They send the victim a phishing email—often impersonating a document-sharing or collaboration service—containing the code and instructions to enter it at microsoft.com/devicelogin. The victim enters the code, signs in, and completes any MFA prompts. Microsoft then issues OAuth access and refresh tokens directly to the attacker’s device, granting full access to Outlook, Teams, OneDrive, and any SSO-connected SaaS applications.
• Cookie Link (Adversary-in-the-Middle): victims are proxied through attacker-controlled infrastructure that captures authenticated browser sessions, session cookies, and tokens after login. Once inside a compromised mailbox, attackers create malicious inbox rules to hide their activity and register new devices to extend persistence. The platform stores captured tokens and makes them available to other affiliates… meaning stolen tokens can be reused or sold. Proofpoint researchers observed seven nearly identical device-code phishing tools during a 10-day period in April—highlighting just how widespread this problem is.

Impact

The impact of Kali365 is severe. Because the attack targets OAuth tokens rather than credentials, it affects any individual or organization using Microsoft 365, Microsoft Entra, or SSO-connected cloud services—including personal accounts tied to Outlook and OneDrive. For organizations, the downstream risks are devastating: attackers with valid tokens can impersonate employees, steal data for extortion, commit financial fraud, send phishing emails from trusted internal addresses… and potentially deploy malware or ransomware. The FBI noted that Kali365 lowers the barrier to entry for cybercrime, giving unsophisticated actors access to AI-generated lures, automated templates, real-time dashboards, and token-capture tools. The scale of device-code phishing expanded dramatically in 2026. Proofpoint reported an explosion of activity beginning in February… with platforms like EvilTokens and Tycoon2FA also adopting the technique. Kali365 appears to be the most prominent of these.

What To Do Now

Organizations need to take immediate action to reduce their exposure to device-code phishing. Here are the steps to take:

1. Restrict device code authentication: use Microsoft Conditional Access policies to block or severely limit device code flows. The FBI recommends creating a policy that blocks device code authentication for all users, with tightly controlled exceptions only for business-critical processes.
2. Block authentication transfer policies: prevent users from transferring authentication sessions between devices, which can be abused by attackers to move laterally.
3. Audit existing usage: review logs for existing device code authentication activity to identify unauthorized or suspicious patterns.
4. Exclude emergency access accounts: ensure that emergency or break-glass accounts are excluded from blocking policies to avoid accidental lockouts.
5. Monitor for persistence indicators: hunt for unauthorized device registrations and suspicious inbox rules in Microsoft 365 environments.
6. User awareness training: educate employees that they should never enter a device code on a Microsoft login page unless they personally initiated the sign-in on their own device. Be especially wary of unexpected document shares, Teams invites, or verification requests.
7. Individual account hygiene: all Microsoft account holders should periodically review their logged-in devices at https://account.microsoft.com/devices/. Remove any unfamiliar devices immediately, change passwords, and review security settings.
8. Incident reporting: organizations that suspect Kali365 activity should report incidents to the FBI Internet Crime Complaint Center.

Timeline

Date	Event
February 2026	Proofpoint observes explosion in device-code phishing activity. BleepingComputer reports extortion gangs, including ShinyHunters, targeting Microsoft Entra via device-code and voice phishing.
April 2026	Kali365 emerges in the wild. Arctic Wolf Labs reports widespread campaigns targeting global organizations. Proofpoint observes seven nearly identical device-code phishing tools in a 10-day span.
May 21, 2026	FBI issues public service announcement warning about Kali365 capabilities and distribution model.
May 2026	Security outlets publish detailed technical analyses… and the cybersecurity community is put on high alert.

Sources

1. BleepingComputer – “FBI warns of Kali365 phishing service targeting Microsoft 365 accounts” https://www.bleepingcomputer.com/news/security/fbi-warns-of-kali365-phishing-service-targeting-microsoft-365-accounts/
2. Infosecurity Magazine – “FBI: Kali365 phishing kit targets M365” https://www.infosecurity-magazine.com/news/fbi-kali365-phishing-kit-m365/
3. CyberScoop – “FBI warns about phishing kit Kali365 stealing Microsoft 365 access tokens” https://cyberscoop.com/fbi-phishing-kali365-microsoft365-access-tokens/
4. Malwarebytes Labs – “Kali365 phishing kit bypasses MFA and… well, you get the idea. It’s a serious threat.