A criminal subscription service called Kali365 is hijacking Microsoft 365 accounts at organizations across multiple sectors without ever touching a user's password — and it defeats multi-factor authentication in the process, the FBI warned in a public service announcement published May 21, 2026. Security firms including Arctic Wolf and Proofpoint documented hundreds of attacks in April alone, hitting companies and agencies in manufacturing, education, government, insurance, financial services, and healthcare across North America and Europe. Every one of those victims was using MFA.
Kali365 is classified by the FBI as a Phishing-as-a-Service (PhaaS) platform — a criminal subscription product, first observed in April 2026, sold through Telegram for as little as $250 for 30 days. Its significance is structural: by exploiting a legitimate Microsoft authentication feature called the OAuth device code flow, Kali365 renders password managers, credential monitoring services, and MFA enforcement irrelevant at once. The attacker does not need any of those credentials because the victim's own successful authentication hands access directly to the attacker.
The FBI's advisory, designated alert I-052126-PSA, identifies Kali365 as an emerging threat that "lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities." Translation: competent, large-scale account hijacking is now accessible to criminals with no technical background.
How Kali365 Turns Your Own Login Against You
The attack begins with an email. The email impersonates a familiar enterprise service — DocuSign requesting a signature, SharePoint sharing a file, OneDrive alerting to a new document, Adobe Acrobat Sign requesting action. The email contains a short numeric code and a link to a page operated by Microsoft: microsoft.com/devicelogin.
That legitimacy is the trap. The device code flow was engineered to let users sign into Microsoft 365 on devices that lack keyboards — smart TVs, conference room displays, industrial terminals — by generating a short code on a separate device and entering it on a companion screen. Kali365 hijacks this flow: the attacker's device generates the code, the victim enters it at the genuine Microsoft page, and the attacker's device receives the resulting OAuth access and refresh tokens.
Those tokens are the real prize. They prove to Microsoft's servers that a user has authenticated successfully — without containing a password and without triggering an MFA challenge. Kali365 captures them, stores them on its platform, and makes them available to the attacker's dashboard. The attacker now has persistent access to Outlook, Teams, and OneDrive for as long as the tokens remain valid, with no further interaction from the victim required.
In incidents responded to by Arctic Wolf in April, attackers went further after obtaining token access: they created inbox rules that automatically moved emails containing words like "spam," "phish," "click," or "link" into hidden folders and marked them as read. Security notifications from Microsoft — the alerts that might otherwise warn a victim their account had been accessed — were silently buried. In some cases, attackers also registered a second device against the victim's account, extending access beyond the initial token's expiration.
Why MFA Does Not Stop This Attack
Multi-factor authentication is designed to block an attacker who has stolen a password from using it. Kali365 does not steal passwords. It turns the victim into an unwitting accomplice in an authentication the attacker initiates.
"The user's not doing anything wrong," Roger Grimes, a security advisor at KnowBe4, told CSO Online when a related campaign was analyzed in February. "If they look at the URL they're logging into, it's microsoft.com. But the attacker has pre-registered their device to get the code for [the victim] to verify."
Cory Michal, chief security officer at AppOmni, explained the structural weakness in broader terms: "OAuth tokens often operate as bearer credentials. If an attacker obtains them, they can be used as a single-factor access method to act as the integration without triggering an interactive login or MFA challenge, and the activity can blend into normal API and integration patterns. In other words, strong MFA enforcement can coexist with a persistent exposure if non-human identities and OAuth token hygiene aren't governed and monitored with the same rigor."
Arctic Wolf, which accessed a live Kali365 panel as part of its research and published a full technical breakdown in April, described what that persistent access enables: "immediate mailbox access, contact harvesting, lateral phishing, keyword monitoring for business email compromise, and administrative actions if the captured token corresponds to a Microsoft 365 account with sufficient privileges." If the victim's account has admin rights, the attacker gains admin rights.
Kali365 Is a Subscription Business With Three Pricing Tiers
Kali365 is not a loose collection of hacking scripts. Arctic Wolf's technical analysis found a three-tier commercial structure: an admin tier for the kit's authors, an agent tier for resellers, and a client tier for paying criminal affiliates. Each affiliate can brand the panel with custom colors and names. Subscription pricing, confirmed by Arctic Wolf's access to the live panel, runs from $250 for 30 days to $2,000 for 365 days, payable through a cryptocurrency processor that does not require identity verification.
The lure generation system supports 14 languages — including English, Spanish, French, German, Japanese, Chinese, Arabic, and Russian — along with three layout templates and 34 design themes. Affiliates can generate AI-assisted email templates and convert phishing pages to PDF attachments for delivery. An optional Electron-based desktop application, available for Windows and macOS, provides live visibility into captured tokens and an interface for managing compromised accounts.
Tokens captured by one Kali365 affiliate can be shared with others on the platform. A criminal who never sent a phishing email can purchase access to already-captured credentials.
What Organizations Must Do Before Attackers Do It for Them
The FBI and Arctic Wolf both prescribe the same primary mitigation: block device code flow where it is not a genuine operational requirement.
In Microsoft Entra ID (formerly Azure Active Directory), organizations should create a conditional access policy targeting all users and all cloud applications, blocking device code flow authentication with narrow exceptions only for verified processes that actually require it — such as meeting room devices or shared kiosk terminals. Before deploying that policy, the FBI recommends auditing existing device code flow usage to avoid inadvertently locking out legitimate systems.
Additional steps from the FBI's advisory: block authentication transfer policies that allow sessions to migrate between devices, and exclude emergency access accounts from blanket restrictions to prevent lockout. Microsoft Entra ID Protection can surface anomalous device code authentication events; Microsoft Defender XDR generates specific alerts named "Suspicious Azure authentication through possible device code phishing" and "User account compromise via OAuth device code phishing."
Organizations that cannot fully disable device code flow should heighten monitoring for unusual token activity and anomalous sign-in locations.
How Device Code Phishing Reached This Scale
Kali365 did not emerge in a vacuum. Proofpoint documented a sharp volumetric increase in device code phishing beginning in September 2025, when state-aligned threat actors — including groups linked to Russia — were first observed adopting the technique at scale. By October 2025, financially motivated criminal actors had followed. By February 2026, phishing-as-a-service tools like EvilTokens had fully commoditized the technique, and Huntress tracked more than 340 compromised organizations in five countries from a related campaign alone. Kali365 arrived in April 2026 as a more polished, feature-complete product in the same category.
David Shipley, chief executive officer of Canadian security awareness firm Beauceron Security, described device code phishing as "the natural evolutionary response to improvements in account security, particularly MFA." As password-based attacks become easier to block, attackers have shifted to attacks that make users block themselves — handing over access they believe they are authorizing for legitimate purposes.
Proofpoint's researchers noted that in a single 10-day window in April 2026, they observed approximately seven distinct device-code phishing variants, many of them appearing to have been developed using AI-assisted techniques that lower the programming skill required to build such tools.
What to Do If You Have Been Targeted
The FBI urges anyone who suspects a Kali365 compromise to file a complaint at ic3.gov, including phishing email headers, suspicious login timestamps and IP addresses, and any unauthorized devices or active sessions added to the account. The Cybersecurity and Infrastructure Security Agency has published separate guidance — "Phishing Guidance: Stopping the Attack Cycle at Phase One" — covering broader defensive practices.
The core risk that Kali365 represents is that it makes account hijacking routine, cheap, and available to people who could not previously attempt it. A $250 subscription, a Telegram account, and a list of corporate email addresses is now sufficient to launch a campaign that defeats password protection and MFA simultaneously against organizations across multiple countries. For IT and security teams, the immediate action is not to add another layer of protection but to remove the attack surface: audit device code flow usage in Microsoft Entra ID and block it everywhere it is not genuinely required.
Frequently Asked Questions
Does multi-factor authentication stop Kali365 phishing attacks?
No. Kali365 exploits a legitimate Microsoft authentication feature called the OAuth device code flow, which means the victim completes MFA themselves — unknowingly authenticating for the attacker rather than for their own session. The attacker captures the resulting session tokens without ever needing the victim's password or MFA code.
How does device code phishing work?
The attacker generates a short numeric code through Microsoft's device authorization system, then sends the victim a phishing email containing that code with instructions to enter it at Microsoft's legitimate login page. When the victim complies, their authentication hands persistent access tokens to the attacker's device. No credential theft occurs — the victim's own successful login creates the attacker's access.
How do I stop OAuth token theft on Microsoft 365?
The primary defense is to disable device code flow authentication in Microsoft Entra ID using a conditional access policy that blocks it for all users except those with a documented business requirement. Organizations should audit existing device code flow usage before deploying the policy and should monitor for anomalous token activity using Microsoft Entra ID Protection and Microsoft Defender XDR.
What is phishing-as-a-service?
Phishing-as-a-service is a criminal business model in which developers sell ready-made attack infrastructure — including phishing templates, token capture tools, and tracking dashboards — to other criminals on a subscription basis. Kali365 offers three pricing tiers ranging from $250 for 30 days to $2,000 for a full year, with support for 14 languages and dozens of branding templates impersonating services like DocuSign, SharePoint, and Adobe.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
