FBI Warning · May 21, 2026

Your Microsoft 365 Password Won’t Save You From This

A phishing kit called Kali365 bypasses multi-factor authentication without ever touching your password — and it’s sold on Telegram for $250 a month.

On May 21, 2026, the FBI’s Internet Crime Complaint Center (IC3) issued a public warning about Kali365, a Phishing-as-a-Service (PhaaS) platform first observed in April 2026. The platform exploits a legitimate Microsoft authentication feature — the OAuth device code flow — to seize control of Microsoft 365 accounts across Outlook, Teams, and OneDrive without needing a user’s password or triggering a standard MFA prompt.

Security firms Arctic Wolf and Proofpoint documented hundreds of Kali365 attacks in April 2026 alone, targeting organisations in manufacturing, education, government, financial services, and healthcare across North America and Europe. Every single targeted organisation was already using multi-factor authentication. The attack rendered that protection irrelevant.

This kind of threat connects directly to the broader pattern of criminal actors exploiting trusted infrastructure — not breaking through security, but walking in through legitimate doors.

By the Numbers

The Scale of Kali365

$250
Entry price per 30 days — paid anonymously in cryptocurrency, confirmed by Arctic Wolf research
$2,000
Annual subscription rate, making persistent account compromise accessible to low-skill actors
100s
Attacks documented in April 2026 alone, across North America and Europe (Arctic Wolf & Proofpoint)
0
Passwords stolen — Kali365 never needs your credentials to take over your account

How It Works

The Kali365 Attack, Step by Step

Tap each step to understand exactly how the attack unfolds — and why standard MFA does not stop it.

Step 01
📧
The Lure
Phishing email arrives
Step 02
🔑
The Code
Device code delivered
Step 03
🌐
Real Microsoft Page
Victim types the code
Step 04
🪝
Token Captured
Attacker owns the account

📧 The Lure

An attacker sends a phishing email disguised as a message from a trusted cloud productivity or document-sharing service. The email looks legitimate — there is no fake login page and no suspicious domain to spot. It contains a short device code and asks you to verify access on a Microsoft page.

Why Your MFA Does Not Help Here

Standard multi-factor authentication is designed to block attackers from logging in as you. Kali365 does not do that. Instead, it tricks you into logging in normally — on a genuine Microsoft page — and in doing so, you unknowingly hand the attacker a valid OAuth token. Microsoft’s systems register a fully authenticated session. The attacker never had to answer an MFA challenge because, from Microsoft’s perspective, you already did.

The OAuth device code flow was built for legitimate purposes: smart TVs, printers, conference room systems, and other devices that cannot easily display a full login form. Kali365 abuses that same workflow. As the FBI’s official PSA states, the stolen token grants persistent access to Outlook, Teams, and OneDrive — and a password reset alone does not revoke an active OAuth session token.

This is part of a wider wave of session and credential-based threats that are pushing organisations toward stronger, hardware-bound authentication. The FBI’s primary recommendation — blocking device code flow via a Conditional Access policy in Microsoft Entra ID — removes the attack surface entirely where that workflow is not genuinely needed.

Who Was Hit

Sectors Targeted in April 2026

Arctic Wolf and Proofpoint documented attacks across these industries — all confirmed victims had MFA enabled.

🏭
Manufacturing
North America & Europe
🎓
Education
Universities & institutions
🏛️
Government
Public sector agencies
🛡️
Insurance
Policy and claims data
🏦
Financial Services
Banking & investment
🏥
Healthcare
Patient data & records
⚠️

Every confirmed victim was using MFA. Kali365 operates after authentication succeeds, making traditional MFA controls ineffective against this specific attack pattern.

FBI-Recommended Actions

What To Do Right Now

The FBI’s official PSA outlines specific steps for organisations and individuals. Tick each item as your team works through them — the progress bar below tracks completion.

  • Block device code flow via Conditional Access Create a Conditional Access policy in Microsoft Entra ID to block device code authentication for all users, with limited exceptions for genuinely required business processes.
  • Audit existing device code flow usage first Before applying the block, identify which workflows legitimately rely on device code flow to avoid disrupting operations such as conference room systems or shared display devices.
  • Block authentication transfer policies Prevent users from transferring authenticated sessions from computers to mobile devices, limiting post-compromise lateral movement within your environment.
  • Exclude emergency access accounts from the block Break-glass accounts should be excluded from blanket device code restrictions to prevent accidental administrator lockout.
  • Revoke active tokens on any suspected compromise A password reset alone does not end an active OAuth session. Revoke refresh tokens directly in Entra ID and shorten token lifetimes where possible.
  • Never enter a device code from an unsolicited email Legitimate Microsoft services will not email you unprompted with a device code to enter. If you receive such an email, treat it as a phishing attempt.
  • Verify the request through a separate channel If an email from a known contact asks you to verify a code, call or message them through a different channel before proceeding. Do not use contact details provided in the suspicious email.
  • Keep your OS and Microsoft 365 apps updated Microsoft continuously patches known vulnerabilities. Keeping software current reduces exposure to related attack vectors. Enable automatic updates where possible.
  • Consider phishing-resistant MFA (hardware security keys) FIDO2 hardware security keys tie authentication to a physical device and are not redirectable by device code phishing. The FBI specifically recommends deploying phishing-resistant MFA.
  • File a report at IC3.gov immediately Submit a complaint to the FBI Internet Crime Complaint Center. Include phishing email headers and body, suspicious login timestamps, IP addresses, and locations.
  • Document unauthorised devices or active sessions In Microsoft Entra ID, review for unrecognised devices added to the account and any active sessions not initiated by your team.
  • Revoke all active tokens — a password reset is not enough A password change does not end an active OAuth session. Revoke all refresh tokens in Entra ID to close the attacker’s access window.
  • Review CISA’s phishing guidance The Cybersecurity and Infrastructure Security Agency has published Phishing Guidance: Stopping the Attack Cycle at Phase One, covering broader defences against OAuth and device-code attack patterns.
0 of 13 actions completed

Microsoft’s Response

A Microsoft spokesperson confirmed to press that the company “agrees with the FBI guidance” and is “actively working to disrupt the cybercriminal ecosystems behind phishing-as-a-service and account takeover activity to protect our customers.” Microsoft separately recommended that users keep operating systems and applications updated with the latest security patches — a practice relevant across all platforms, including Apple’s recent iOS security update cycle.

Kali365 is not an isolated case. The FBI noted that similar PhaaS platforms — including EvilTokens and Tycoon2FA — are also leveraging device code flows in 2026, pointing to an industrywide shift toward token-theft as the preferred method of credential-free account compromise. AI-generated phishing lures built into these platforms further complicate detection, as the initial phishing email no longer requires advanced technical skill to produce. This mirrors infrastructure-exploitation patterns previously documented in state-sponsored operations, including APT28’s router-based DNS hijacking campaign.

For teams evaluating broader digital security posture — including hardware and endpoint decisions — the Kali365 advisory intersects with the wider AI and technology supply chain security landscape that organisations face in 2026.

Coverage Summary

What Was Covered

The FBI’s May 21, 2026 Public Service Announcement from the Internet Crime Complaint Center was covered in this piece, along with the Kali365 Phishing-as-a-Service platform, its distribution via Telegram, the OAuth device code flow mechanism it exploits, and the sectors documented as targets in April 2026. The FBI-recommended mitigations — including Conditional Access policies in Microsoft Entra ID — were covered alongside Microsoft’s public response.

Kali365’s subscription pricing (confirmed by Arctic Wolf’s access to the live platform panel at $250 per 30 days and $2,000 annually), the documented attack scope (hundreds of incidents in April 2026 across North America and Europe), and the confirmation that all documented victims had MFA enabled were included as verified facts.

Readers managing Microsoft 365 environments are encouraged to review the FBI’s official PSA at IC3.gov and submit any compromise reports through the same platform. Related infrastructure threat coverage is available in Giganectar’s earlier report on APT28’s router exploitation campaign, the AI infrastructure security landscape in 2026, and Sony’s latest connected device lineup covered in recent Giganectar reporting.

🔒 Report to IC3.gov