FBI warns of Kali365 phishing service targeting Microsoft 365 accounts

Key Points:

• The FBI has issued a warning about Kali365, a phishing-as-a-service platform that hijacks Microsoft 365 accounts by exploiting OAuth device code authentication to steal session tokens and bypass multi-factor authentication (MFA).
• Kali365, emerging in April 2026 and distributed via Telegram, uses device code phishing to trick victims into authorizing attacker access through Microsoft's device code login portal without exposing passwords or MFA codes.
• The platform offers advanced phishing tools such as AI-generated lures, automated templates, real-time victim tracking, and token capture, enabling even low-skilled attackers to compromise Microsoft 365 and other cloud SaaS accounts.
• Security researchers at Arctic Wolf observed widespread Kali365 campaigns targeting Microsoft 365 users worldwide, where attackers gained mailbox access, created malicious inbox rules, and registered new devices to extend network access.
• The FBI advises organizations to restrict or block device code authentication via Conditional Access policies, audit device code usage, block authentication transfer policies, and report incidents to the Internet Crime Complaint Center.