The Federal Bureau of Investigation issued a stark warning this month. Cybercriminals now wield a subscription service called Kali365 to hijack Microsoft 365 accounts. They don’t need passwords. They don’t battle multi-factor authentication prompts. They simply trick users into a few clicks on legitimate Microsoft pages.
First spotted in April 2026, the platform sells access to AI-generated lures, ready-made campaign templates, live tracking dashboards and direct capture of OAuth tokens. Distributed mainly through Telegram channels, it has already fueled widespread campaigns against organizations of all sizes. FBI Internet Crime Complaint Center laid out the mechanics in plain language on May 21.
Attackers send emails that look routine. They pose as invitations to schedule interviews, requests to review shared documents or alerts from trusted cloud services. The message contains a short device code and directs the recipient to visit a genuine Microsoft verification page. There the user enters the code. Microsoft issues an access token. The attacker grabs it.
Once in possession of that token, the intruder walks straight into the victim’s Outlook inbox, Teams chats, OneDrive files and other Microsoft 365 resources. Persistent access follows. No further prompts. No stolen credentials. The victim may never realize anything happened until sensitive data leaves the building or inbox rules start forwarding mail to external addresses.
Phishing-as-a-Service platforms have matured into polished businesses.
Kali365 operates in at least two modes. The primary one exploits the OAuth 2.0 device authorization grant, originally built to let smart TVs and other limited-input devices authenticate. The second, known internally as Cookie Link, acts as an adversary-in-the-middle proxy that captures full authenticated browser sessions along with cookies and tokens. Both approaches bypass traditional MFA because the legitimate Microsoft service completes the authentication on the user’s behalf.
Security researchers first documented active campaigns in April. Arctic Wolf observed attackers creating malicious inbox rules, registering rogue devices and exfiltrating data at scale. Similar techniques appear in other services such as EvilTokens and Tycoon2FA, yet Kali365 stands out for its ease of use and real-time victim monitoring features. Bleeping Computer detailed those operational advantages just days after the FBI alert.
The speed of adoption surprised even seasoned defenders. Low-skilled operators who once struggled with credential phishing kits can now launch convincing attacks within minutes. AI handles the heavy lifting on email copy that slips past many spam filters. Dashboards show exactly who clicked, who entered codes and which tenants show signs of compromise. One successful token can open doors to business email compromise, intellectual property theft or ransomware staging.
Enterprise environments face particular risk. Many still permit the device code flow by default. Conditional access policies that could block it sit unused. Authentication transfer features, including QR code options, remain enabled in tenants that haven’t revisited configurations in years. The result is a path that feels frictionless to the attacker and invisible to the victim.
TechRadar spoke with security leaders who called out the trend toward commercialized phishing kits. Deborah Galea noted that platforms like Kali365 grow more common because they remove technical barriers. “Kali365 is especially dangerous since it bypasses Multi-Factor Authentication without stealing credentials,” she said. Her advice centered on three concrete actions organizations should take immediately. TechRadar published those steps alongside analysis of how the emails mimic legitimate traffic.
First, maintain constant vigilance. Train staff to question unexpected authentication requests, even when they point to real Microsoft domains. Monitor threat intelligence for fresh lures. Treat any unsolicited code-entry prompt as suspicious. Short, direct training beats generic annual modules.
Second, configure conditional access policies to block the device code authentication flow for all users. Microsoft provides straightforward settings to restrict this grant type. Organizations that audit and disable it see the attack vector disappear. The policy change requires little ongoing maintenance yet delivers outsized protection.
Third, block authentication transfer policies that allow QR codes or similar handoffs. These features simplify certain legitimate scenarios but hand attackers an easy pivot. Disabling them hardens the tenant without disrupting most workflows.
Additional steps from the FBI include auditing existing device code usage in logs, reporting confirmed incidents to the Internet Crime Complaint Center and preserving suspicious emails and headers for investigation. Cybersecurity Dive reported that defenders who act on these recommendations within days of the alert avoided the initial wave of incidents.
But policy alone won’t solve everything. Attackers evolve. New variants of Kali365 or copycat services will test fresh bypasses. Microsoft has updated guidance on device code flows and continues to refine detection in Defender for Office 365. Enterprises that combine the recommended blocks with phishing-resistant authentication methods, such as hardware keys or certificate-based logins, gain stronger posture.
The broader pattern merits attention. Business email compromise tied to Microsoft 365 environments has cost organizations billions. When attackers gain token-level access, they can read mail for months, impersonate executives and quietly map internal networks. The FBI’s alert arrives at a moment when many security teams feel stretched by alert volume and resource constraints.
Yet the fixes remain practical. Review tenant settings this week. Test conditional access rules in report-only mode first. Run a tabletop exercise around a device-code phishing scenario. Measure how quickly staff report suspicious prompts. Those small efforts compound.
And the threat won’t wait. Kali365 campaigns continue. Recent coverage from The Hill and local outlets shows the story reaching mainstream audiences, which may increase user awareness but also signals that attackers sense opportunity. The Hill emphasized that even careful users can fall for lures that route through official Microsoft verification pages.
Security leaders who treat this as a configuration problem rather than a training problem will fare better. Blocking the vulnerable flows removes the attacker’s preferred path. Training then serves as a second line of defense for the inevitable new techniques. Together they raise the cost of entry for operators who once found Microsoft 365 an easy target.
The FBI has made its position clear. Organizations that ignore the guidance expose not only their own data but also the partners and customers who trust their systems. In an environment where one compromised account can cascade across supply chains, the margin for delay has vanished.


WebProNews is an iEntry Publication