The FBI issued Public Service Announcement I-052126-PSA on May 21, 2026, warning organizations that a phishing-as-a-service platform called Kali365 is enabling low-skilled attackers to run sophisticated Microsoft 365 credential-theft campaigns through a technique that sidesteps multi-factor authentication entirely — not by intercepting a one-time code, but by turning legitimate Microsoft infrastructure against the victim.
How Kali365 Exploits Microsoft’s Device Code Authentication Flow
The attack does not involve spoofed login pages. Instead, Kali365 abuses the device code authentication flow — a legitimate Microsoft feature designed for devices that cannot display a browser, such as printers or smart TVs, which require users to authenticate from a separate device. In a normal scenario, a user receives a short device code, navigates to a real Microsoft verification URL, and enters the code to authorize the device. The device then receives an OAuth token granting it access.
In the Kali365 attack, victims receive phishing emails instructing them to enter a device code on Microsoft’s authentic verification page. The code was generated by the attacker, who is waiting on the other side of the authorization flow. When the victim types the code into the real Microsoft page and clicks approve, the attacker’s session — not any attacker-controlled device — receives the OAuth access token. Because the transaction happens entirely within Microsoft’s own infrastructure using a real browser session belonging to the victim, MFA is never triggered. The victim’s authentication factor, their normal login plus MFA prompt, has already been satisfied before they ever reach the device code entry step.
Persistent OAuth Token Access Without MFA Alerts
The OAuth tokens captured through this technique grant the attacker access to Outlook, Teams, and OneDrive without generating MFA alerts, because no additional authentication challenge is involved post-token-issuance. This significantly extends dwell time compared to traditional credential phishing, where stolen passwords are rendered useless if MFA is enforced at each login.
Once a token is in the attacker’s hands, they can access the victim’s mailbox, read and exfiltrate messages, move laterally through Teams conversations, and download files from OneDrive — all while appearing to the Microsoft 365 audit log as the legitimate account holder accessing services from an authorized device registration.
Kali365’s Telegram Distribution Model and AI-Generated Templates
The FBI notes that Kali365 has been distributed through Telegram channels since it was first observed in April 2026. The subscription model means that running a Microsoft 365 compromise campaign no longer requires deep technical knowledge — the platform handles campaign deployment automatically and provides real-time victim tracking dashboards showing which targets have completed the authorization step and which tokens are ready for use.
The platform also includes AI-generated phishing templates that accelerate lure creation and increase per-campaign personalization. Rather than recycling the same generic IT support email, Kali365 operators can generate contextually believable pretexts quickly. The combination of automated deployment, live victim dashboards, and AI-assisted lure generation compresses the time and skill required to run a Microsoft 365 compromise campaign to a subscription fee.
Traditional email security controls are limited in their ability to catch this class of attack. Because the phishing email only needs to direct the victim to a real Microsoft URL — rather than a spoofed one — link-reputation engines and domain blocklists offer minimal protection.
FBI Recommended Mitigations Against Kali365 Device Code Attacks
The FBI’s advisory identifies three primary defensive measures organizations should implement against Kali365-style device code abuse.
The first is restricting device code flow authentication through conditional access policies in Microsoft Entra ID. Device code flow can be blocked entirely for user accounts that do not require it, or it can be limited to specific trusted IP ranges or device compliance states. Most enterprise users have no legitimate need to authenticate via device code, making this a low-disruption policy to enforce.
The second measure is auditing OAuth tokens for suspicious sign-in patterns. Tokens issued through device code flow to unrecognized device registrations, or tokens with unusually broad delegated permissions that were never explicitly granted through an interactive session, should be investigated and revoked.
The third measure is monitoring for unusual access patterns to Microsoft 365 services. Bulk email access, sudden downloads from OneDrive, or Teams data exports by accounts that do not normally perform those operations may indicate an active OAuth token compromise even after the initial Kali365 phishing event goes undetected.
Why Device Code Phishing Has Become Dominant Against M365 Environments
Device code phishing has become a preferred technique against Microsoft 365 because it exploits the fundamental trust relationship between a user and their own identity provider. No credential is intercepted. No spoofed page is involved. The victim performs the authentication themselves, on real Microsoft infrastructure, and the outcome is an attacker holding a fully authorized OAuth token.
Kali365’s Telegram distribution removes the operational expertise barrier. The FBI has not disclosed a specific victim count since the platform was first observed in April 2026, but the platform’s design — real-time dashboards, AI-generated templates, automated deployment — suggests it is architected for volume. Organizations relying on MFA alone as a complete defense against account compromise should treat device code flow access controls as a mandatory additional layer for any Microsoft 365 environment.
