The FBI has issued a warning about Kali365, a new phishing-as-a-service (PhaaS) platform that can hijack Microsoft 365 accounts even when multi-factor authentication (MFA) is turned on. This isn't another generic phishing scam — Kali365 uses a technique called device code phishing to steal session tokens that bypass MFA entirely.

---

What Is Kali365?

Kali365 first appeared in April 2026 and is distributed through Telegram channels to cybercriminals. According to the FBI's Internet Crime Complaint Center (IC3) PSA, the platform gives even low-skilled attackers access to advanced phishing capabilities. Security researchers at Arctic Wolf observed widespread campaigns targeting organisations worldwide.

The platform operates like a legitimate business — with administrators who manage product development, resellers who promote the service to other threat actors, and affiliates who conduct the actual phishing attacks. This is a worrying shift in the cybercrime economy: phishing-as-a-service makes sophisticated attacks available to anyone willing to pay.

How Device Code Phishing Works

Device code authentication is a legitimate Microsoft OAuth 2.0 feature designed for devices with limited keyboards — think smart TVs, conference room systems, streaming devices, and IoT gadgets. Instead of typing a password, users visit microsoft.com/devicelogin and enter a short code to authenticate.

Here's how attackers abuse this flow:

1. The attacker starts the device authentication process on their end, generating a valid code from Microsoft's servers
2. They send a phishing email that looks urgent — often pretending to be IT support, a security alert, or a shared document notification
3. The email directs the victim to Microsoft's legitimate device login portal with a code
4. The victim enters the code and completes MFA (thinking they're securing their account)
5. Microsoft issues an OAuth access token — which is sent directly to the attacker's session
6. The attacker now has full access to the victim's email, files, calendar, and all connected apps — without needing a password or MFA code

The result is devastating: the attacker gains access to everything in the victim's Microsoft 365 account, including Salesforce, SharePoint, Teams chats, and any other SaaS platforms connected through single sign-on.

Why MFA Didn't Stop Them

This is the most unsettling part of the Kali365 story. MFA worked exactly as designed — the victim completed their authentication challenge. But the attacker set up the whole flow, so the resulting token went to them instead.

Two-factor authentication is still one of the best things you can do to protect your accounts. But device code phishing targets a gap in the authentication flow that MFA alone cannot close. The token, not the password, is what the attacker is after.

Most people believe that having MFA enabled means they're safe. Kali365 proves that's not enough anymore.

Two Attack Modes

Kali365 offers two separate attack modes, making it even more dangerous:

1. Device Code Phishing: The method described above — abuses Microsoft's legitimate OAuth 2.0 Device Authorization grant flow. The attacker never needs to crack a password or intercept an MFA code.

2. Cookie Link (AitM): An adversary-in-the-middle mode that proxies victims through attacker-controlled infrastructure. This captures authenticated browser sessions, session cookies, and tokens after the target logs in and completes MFA.

Arctic Wolf researchers found that campaigns primarily targeted Microsoft 365 environments using phishing emails that looked legitimate. Once inside, attackers:

• Accessed victims' mailboxes and read sensitive correspondence
• Created malicious inbox rules designed to hide their activity from the victim
• Registered new devices in victims' Microsoft environments to extend their access
• Used the compromised accounts as launching points for further attacks

Who's Behind This?

Kali365 isn't operating in isolation. Related phishing platforms using the same device code technique include:

• EvilTokens PhaaS — Another device code phishing platform targeting Microsoft Entra accounts
• Tycoon2FA — Uses device code phishing to compromise M365 and Entra accounts
• ShinyHunters — The cybercrime group was observed using device code and voice phishing (vishing) to target Microsoft Entra accounts

The growing ecosystem of PhaaS platforms means device code phishing is becoming the default tool for account takeover attacks in 2026.

How to Protect Yourself

The FBI has issued specific recommendations. Here's what to do right now:

For Individuals

• Be sceptical of any email asking you to enter a code on any Microsoft login page
• Check the sender address carefully — Kali365 campaigns use AI-generated phishing lures
• If an email creates urgency ("your account will be disabled"), pause and verify through a different channel
• Use a password manager to generate unique, strong passwords for every account
• Know what to do if you think you've been hacked — acting fast limits the damage

For Organisations

• Restrict or block device code authentication flows using Microsoft Entra Conditional Access policies
• Audit existing device code usage across your tenant
• Block authentication transfer policies that allow sessions to move between devices
• Educate employees about device code phishing specifically
• Monitor for unusual device registrations and inbox rule creations
• Report incidents to the IC3 at ic3.gov

Recommended Security Stack

A layered approach protects against both password attacks and token theft:

1. Use a reliable antivirus like Kaspersky that detects phishing URLs before you click
2. Use a privacy VPN like TurboVPN when connecting to work email on public Wi-Fi
3. Consider encrypted email through Trekmail for sensitive business correspondence

What to Do If You've Been Targeted

If you entered a device code after following a link from an unexpected email:

1. Revoke all session tokens from Microsoft 365 security settings immediately
2. Change your password and force MFA re-registration
3. Check inbox rules for anything suspicious
4. Review recent device registrations in Microsoft Entra
5. Notify your IT department or security team

FAQs

Can MFA stop device code phishing?

No. Device code phishing uses MFA as part of the attack. The victim completes MFA successfully, but the resulting token goes to the attacker. This is why the NCSC and CISA recommend phishing-resistant authentication (FIDO2 security keys) for privileged accounts.

Does Kali365 affect personal accounts or only business ones?

Both. Microsoft 365 business accounts are the primary target (they give access to more valuable data), but personal Microsoft accounts using device code authentication are also vulnerable.

How common is device code phishing in 2026?

Very common. Multiple PhaaS platforms now use it. The IBM Cost of a Data Breach 2026 report highlighted token theft as one of the fastest-growing attack vectors, increasing 67% year over year.

Should I turn off MFA?

Absolutely not. MFA blocks the vast majority of automated attacks. Kali365 is sophisticated and targeted. Keep MFA on, but add phishing awareness to your security habits.

What is the single most important thing I can do?

Be extremely suspicious of any email asking you to visit a login page and enter a code. For organisations: restrict device code authentication using Conditional Access policies.

Summary

Kali365 is a wake-up call. The FBI's warning confirms that phishing-as-a-service has reached a new level of sophistication — AI-generated lures, automated campaigns, MFA bypass, and a business model that makes all of this available to low-skilled attackers.

The key takeaway: MFA is essential, but it isn't a silver bullet. Stay sceptical of unexpected authentication prompts, use strong unique passwords, keep software updated, and report suspicious activity to the FBI's IC3.

---

This article contains affiliate links. If you purchase through these links, we may earn a commission at no extra cost to you.