The FBI is warning organizations about Kali365, a phishing-as-a-service platform that steals Microsoft 365 access tokens and bypasses multi-factor authentication to give cybercriminals access to victim accounts.
Learn more: What is phishing-as-a-service (PhaaS)?
What happened
First observed in April 2026, Kali365 abuses OAuth device code authorization to connect cybercriminal-controlled applications to Microsoft 365 accounts. Rather than stealing a user's credentials and MFA codes, the platform generates a code that victims must copy and paste to unknowingly grant access. The FBI issued a public service announcement on May 21, 2026, warning defenders about the toolkit's growth. Kali365 is primarily distributed on Telegram and offers AI-generated phishing lures, automated campaign templates, real-time tracking dashboards, and OAuth token capture. Once access tokens are captured, they are stored on the platform and made available to affiliates and can be shared with other cybercriminals not involved in the original attack. Those tokens provide persistent access across multiple Microsoft services without requiring a password or additional MFA.
The backstory
In February 2025, Microsoft tracked a large-scale campaign tied to a threat group called Storm-2372 that abused the same OAuth device code flow. The current wave of activity, including Kali365, represents a direct escalation from that campaign, according to the Microsoft Defender Security Research Team.
Older, static versions of this attack had a built-in weakness, attackers pre-generated codes and embedded them in phishing emails, meaning victims had to complete the entire authentication flow before the 15-minute expiration window closed. An email opened 20 minutes too late meant an automatically failed attack.
In the know
OAuth device code authorization is a legitimate Microsoft feature designed for devices that cannot easily display a browser, like smart TVs or printers, to authenticate a user. The process asks the user to visit a URL and enter a code to link the device to their account. Kali365 hijacks this flow by sending victims phishing lures that impersonate common enterprise services, directing them to real Microsoft authorization pages. Because the page is legitimate, traditional security tools may not flag it. Once the victim enters the generated code, the attacker's application gains an access token, a digital key that grants ongoing access without requiring the victim's password or triggering MFA again.
Why it matters
Microsoft 365 is used for document sharing, and communication for healthcare organizations, many of which handle protected health information. What makes Kali365 dangerous is that it uses Microsoft's own legitimate infrastructure. Security tools trained to detect spoofed login pages or credential-harvesting forms may not catch a real Microsoft authorization page being abused. For healthcare, a compromised Microsoft 365 account can mean unauthorized access to patient records, internal communications, and billing systems.
The bottom line
Organizations should audit which third-party applications have OAuth access to their Microsoft 365 environments, implement conditional access policies that restrict token reuse, and train staff to recognize device-code phishing lures. MFA alone is no longer sufficient protection against this type of attack.
FAQs
Does revoking a compromised account's password stop the attack?
No, because device-code phishing steals access tokens rather than passwords.
How would a user know if they had already been compromised?
Unusual inbox rules, unexpected device registrations, or unfamiliar sign-in activity in Microsoft 365 audit logs are indicators of a device-code phishing compromise.
Is this type of attack illegal to sell as a service?
Yes, operating or selling phishing-as-a-service platforms is a criminal offense in most jurisdictions.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
