The Federal Bureau of Investigation (FBI) has issued a critical warning to users of Microsoft 365 regarding a sophisticated and emerging cyber threat known as Kali365, a phishing-as-a-service (PaaS) platform that can compromise accounts without requiring victims to surrender their passwords. This new alert highlights a significant evolution in cyberattack methods, focusing on exploiting legitimate authentication processes rather than direct credential theft.
Kali365 targets a wide array of Microsoft 365 services, including Outlook, Teams, and OneDrive, by manipulating Microsoft’s device code authentication process. Unlike traditional phishing schemes that attempt to trick users into divulging their login credentials, Kali365 aims to obtain OAuth access and refresh tokens. These tokens allow users to remain signed into Microsoft services without repeatedly entering their passwords, and once stolen, they provide attackers with persistent, unauthorized access to compromised accounts.
Federal officials stated that Kali365 first appeared in April 2026 and has primarily been distributed through Telegram, a messaging platform where cybercriminals can readily purchase access to prebuilt phishing tools, campaign templates, and tracking dashboards. This accessibility lowers the barrier for entry for malicious actors, enabling a broader range of individuals to launch sophisticated attacks.
The modus operandi of Kali365 begins when an attacker initiates Microsoft’s legitimate device code login process from their own device. Subsequently, the victim receives a carefully crafted phishing email containing a verification code and instructions to visit what appears to be an authentic Microsoft sign-in page. Because this verification page is genuinely operated by Microsoft, victims are often led to believe the request is legitimate and secure. After entering the provided device code on this page, victims unknowingly authorize the attacker’s device to gain access to their account.
Once this authorization is granted, attackers can capture the authentication tokens, which then allow them to access various Microsoft 365 applications like Outlook, Teams, and OneDrive. Critically, this method bypasses the need for the victim's password and often circumvents multi-factor authentication (MFA) prompts, which are typically considered a strong defense against account takeovers. This makes Kali365 particularly insidious, as even users with MFA enabled are vulnerable.
The FBI emphasized that this technique presents particular risks for businesses. Compromised corporate accounts may contain highly sensitive information, including proprietary emails, financial invoices, confidential customer data, and internal communications. Attackers can leverage this access to impersonate employees, launch further internal fraud schemes, or exfiltrate valuable intellectual property, as reported by Fox News. The potential for widespread corporate espionage and financial fraud makes this a high-priority threat for organizations of all sizes.
To mitigate the risk, federal officials strongly advise all Microsoft 365 users to treat any unsolicited request to enter a Microsoft device code as highly suspicious. This vigilance is especially crucial if such requests arrive via email, text message, or collaboration platforms like Teams. Users should never enter a device code unless they personally initiated the sign-in process.
Microsoft, in response to the FBI’s alert, urged its customers to adhere to the FBI’s recommendations while continuing to implement the company’s existing security best practices designed to defend against phishing-as-a-service operations and account takeover attempts. The tech giant affirmed its ongoing efforts to disrupt cybercriminal networks responsible for such campaigns, referencing past enforcement actions against operations including Fake ONNX, RaccoonO365, and Tycoon 2FA.
The FBI's comprehensive recommendations for individual users include regularly reviewing account activity, immediately revoking any suspicious sessions, and maintaining multi-factor authentication protections despite the new threat vector. For organizations, officials further recommend restricting device code authentication wherever operationally feasible, diligently auditing legitimate uses of the feature, and providing thorough training to employees to help them recognize and report device code phishing attempts.
Individuals who suspect they may have approved a fraudulent device code are advised to take immediate action: sign out of Microsoft 365 on all devices, change their password, review account recovery information, inspect Outlook forwarding rules for any unauthorized changes, and notify their employer’s IT department if the compromised account is work-related. The FBI also encourages all victims or targeted users to report incidents to the Internet Crime Complaint Center (IC3.gov), providing any relevant evidence such as phishing emails and login information to aid investigators in tracking and combating this growing phishing campaign.
