The platform hands low-skilled attackers AI-generated lures, automated campaign tools, and a method to bypass multi-factor authentication entirely, all through Telegram, one month after launching.
What happened
The FBI has issued a public service announcement warning about Kali365, a phishing-as-a-service platform that appeared in April 2026 and targets Microsoft 365 accounts using device code phishing to capture session tokens without ever needing a victim's password or multi-factor authentication (MFA) code. According to BleepingComputer, Kali365 is distributed via Telegram channels and offers buyers AI-generated phishing lures, automated campaign templates, real-time victim-tracking dashboards, and token-capture functionality. The FBI warned that the platform gives even low-skilled attackers access to capabilities previously requiring important technical expertise. Researchers observed a widespread campaign in April 2026 in which Kali365 operators directed victims to Microsoft's legitimate device code login portal at microsoft.com/devicelogin, where they unknowingly authorized attacker access to their Microsoft 365 accounts. Once inside, attackers created malicious inbox rules to hide their activity and, in some cases, registered new devices in victims' Microsoft environments to extend their access.
Going deeper
Device code authentication was designed for devices with limited input capabilities, such as smart TVs, printers, conference room systems, and similar hardware that cannot support a standard interactive login. The flow generates a short code on the device and instructs the user to enter it on a separate device at Microsoft's login portal. Kali365 abuses that flow by initiating the device authorization process themselves to generate a code, then tricking targets into entering it via social engineering. When the victim enters the code and completes MFA on the real Microsoft page, Microsoft issues an OAuth access token to the attacker's session, bypassing MFA entirely because the victim completed it themselves. Kali365 offers two attack modes. The first is device code phishing. The second, called Cookie Link, is an adversary-in-the-middle mode that proxies victims through attacker-controlled infrastructure to capture authenticated browser sessions, session cookies, and tokens after targets log in. Compromised accounts grant attackers access to every application connected via Microsoft single sign-on, including SharePoint, OneDrive, Salesforce, and any other cloud platform the victim uses with their Microsoft credentials.
What was said
The FBI stated in its public service announcement that Kali365 "gives even low-skilled attackers access to advanced phishing capabilities" and urged organizations to restrict or completely block device code authentication flows using Conditional Access policies where possible, audit existing device code usage, and block authentication transfer policies that allow sessions to move between devices. The FBI also recommended preserving phishing emails, suspicious login records, and unauthorized device registration logs for incident reporting to the Internet Crime Complaint Center.
In the know
Kali365 joins a growing list of PhaaS platforms built around device code phishing in 2026. According to BleepingComputer, device code phishing detections surged 37.5 times in early 2026 as at least 11 competing kits entered the market, including EvilTokens and Tycoon2FA, both of which also target Microsoft 365 and Entra accounts. Microsoft's own Q1 2026 email threat data documented hundreds of organizations compromised daily through device code phishing campaigns running 10 to 15 distinct sub-campaigns every 24 hours. Kali365, emerging from Telegram just one month ago and already drawing an FBI warning, signals how quickly this category of platform has normalized as a commercial offering.
The big picture
Microsoft 365 is used by approximately 79 percent of healthcare organizations, and accounted for 53% of breached healthcare organizations in 2025, up from 43% the year prior, according to Paubox's 2026 Healthcare Email Security Report. Device code phishing bypasses MFA at the authentication layer, exposing healthcare organizations whose security posture relies on MFA as a primary control. A compromised Microsoft 365 account at a hospital or clinic gives an attacker access to patient scheduling, billing communications, referrals, lab results, and internal administrative email, all of the workflows where protected health information moves routinely. The FBI's recommendation to block device code authentication flows entirely through Conditional Access is the most direct technical response, but implementing it requires reviewing which legitimate devices in the environment actually need that flow before restricting it.
FAQs
Why does device code phishing bypass MFA if the victim completes MFA themselves?
MFA verifies that the person logging in controls the registered device or authentication app. In device code phishing, the victim completes MFA on a legitimate Microsoft page, thereby confirming their identity with Microsoft. The OAuth token that Microsoft issues is captured by the attacker's session rather than the victim's because the attacker initiated the device authorization request. MFA confirmed the right person, but it just issued the token to the wrong session.
What is a Conditional Access policy, and how does it block device code phishing?
Conditional Access is a Microsoft Entra feature that enforces rules on how and when users can authenticate. A policy blocking the device code flow prevents the OAuth device authorization grant from being initiated for user accounts, eliminating the mechanism Kali365 exploits. Microsoft provides guidance for configuring this through the Authentication Flows condition in Conditional Access.
Why did Kali365 draw an FBI warning within one month of launch?
The FBI issues warnings when a platform demonstrates sufficient adoption and victim impact to constitute a widespread threat. A PhaaS platform distributed via Telegram, reaching enough operators to generate an FBI PSA within 30 days of launch, shows both the platform's accessibility and the existing demand for device-code phishing tools among criminal operators.
What should a healthcare IT team do if they suspect a device code phishing attack has succeeded?
Immediately revoke all active sessions for the affected account, remove any newly registered devices, audit inbox rules for attacker-created forwarding or deletion rules, and check whether the compromised account was used to access connected applications through single sign-on. Resetting the password alone is insufficient, as the attacker holds a valid session token that persists through password changes until explicitly revoked.
What makes low-skilled attackers particularly dangerous with a platform like Kali365?
Sophisticated phishing campaigns previously required technical knowledge to build infrastructure, generate convincing lures, and manage captured credentials. Kali365 automates all of those steps. An operator with no technical background can run AI-generated lure campaigns, track victims in real time, and capture tokens through a dashboard interface. The barrier to running an advanced credential-theft campaign has been effectively removed.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Farah Amod : January 14, 2026
