Kali365 phishing-as-a-service – The FBI is warning about Kali365, a phishing-as-a-service platform that targets Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and get around multi-factor authentication. First seen in April 2026, it is distributed t
For victims, the trick won’t feel like hacking at all. It will look like a normal Microsoft login flow—right up until the moment the attacker is already inside.
The FBI is warning about a phishing-as-a-service platform called Kali365 that is being used to hijack Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass multi-factor authentication (MFA). The agency’s advisory describes how Kali365 helps criminals get access without needing to steal passwords or intercept MFA codes.
Kali365 first emerged in April 2026 and is distributed via Telegram channels aimed at cybercriminals looking for an easier path into Microsoft 365 accounts. Instead of credential theft. the platform relies on device code phishing—an approach that takes advantage of Microsoft’s legitimate OAuth 2.0 Device Authorization grant flow to gain access to Microsoft Entra and Microsoft 365 accounts.
The device code authentication method exists for a reason: it allows devices with limited input capabilities—smart TVs, conference room systems, streaming devices, printers, and IoT devices—to authenticate via another device using a short code at Microsoft’s device code login portal.
But in Kali365’s hands, that same mechanism becomes a setup for fraud. Device code phishing works by letting threat actors generate a code themselves during the device authorization process and then tricking victims into entering it on Microsoft’s login page through phishing and social engineering.
Once a victim enters the code and completes MFA, Microsoft issues an OAuth access token that grants the threat actor full access to the compromised account without the attacker needing to solve further MFA challenges.
That access is not limited to emails or a single app. With the attacker holding the OAuth access token, they can reach everything connected to the victim’s single sign-on account—including Microsoft 365 and other cloud SaaS platforms such as Salesforce—and use that access to steal data.
The FBI says Kali365 is especially dangerous because it lowers the skill needed to run high-impact phishing campaigns. The platform is described as giving even low-skilled attackers advanced phishing capabilities. including AI-generated phishing lures. automated campaign templates. real-time victim-tracking dashboards. and token-capture functionality.
Arctic Wolf reported on Kali365 activity in April after observing a widespread campaign targeting organizations worldwide. In those campaigns. Arctic Wolf said the attacks primarily targeted Microsoft 365 environments using phishing emails that directed victims to Microsoft’s device code login portal—where the victims unknowingly authorized attackers to access their accounts.
Once inside mailboxes, the attackers created malicious inbox rules designed to hide their activity. In some attacks, they also registered new devices in victims’ Microsoft environments, extending their reach deeper into the breached network.
Arctic Wolf also described Kali365 as a business with distinct roles: admins who manage product development, resellers who promote the service to other threat actors, and affiliates who carry out phishing attacks.
Crucially, the platform operates in two separate attack modes. The first is device code phishing. The second is an adversary-in-the-middle (AitM) mode named “Cookie Link. ” which proxies victims through attacker-controlled infrastructure that captures authenticated browser sessions. session cookies. and tokens after targets log in and solve MFA challenges.
The FBI’s recommendations focus on reducing the opportunity for these authentication flows to be abused. The agency urged companies to restrict or completely block device code authentication flows using Conditional Access policies where possible. audit existing device code usage. and block authentication transfer policies that allow authentication sessions to move between devices.
The FBI also told organizations that if they are impacted, they should report incidents to the Internet Crime Complaint Center and preserve phishing emails, suspicious login information, and unauthorized device registrations.
Device code phishing has been spreading through 2026. The FBI warned that other threat actors and platforms are using it as part of phishing campaigns and attacks. including EvilTokens PhaaS and Tycoon2FA. both of which are described as using the same approach to compromise Microsoft 365 and Entra accounts.
The tension in all of this is plain: Microsoft designed device code authentication to help low-input devices log in. Kali365 and similar services are turning that convenience into a doorway—one that opens after the victim completes MFA, long before an organization realizes what happened.
FBI Kali365 phishing-as-a-service Microsoft 365 OAuth device code MFA bypass Microsoft Entra Telegram Conditional Access cybercrime Cookie Link session tokens