Microsoft 365 Phishing Scam Alert: FBI Warns of Kali365 Threat
The Federal Bureau of Investigation (FBI) has issued a public service announcement (PSA) regarding a phishing-as-a-service (PhaaS) platform known as Kali365.
The Kali365 platform is specifically designed to target Microsoft 365 accounts. It utilizes device code authentication to bypass multi-factor authentication (MFA) and gain unauthorized access to user accounts.
According to the FBI:
Kali365 first emerged in April 2026 and has been distributed via Telegram channels catering to cybercriminals seeking a more efficient means of compromising Microsoft 365 accounts without resorting to traditional password cracking or MFA code interception methods.
Device Code Phishing: A New Tactic
Device code phishing, employed by Kali365, involves initiating the device authorization process to generate a code, which is then tricked into victims through phishing and social engineering tactics.
Upon entry of the code and completion of MFA, Microsoft issues an OAuth access token granting the threat actor unrestricted access to the compromised account, inclusive of all connected applications utilizing single-sign-on capabilities, such as Microsoft 365, Salesforce, and other cloud-based Software as a Service (SaaS) platforms.
Safety Measures
To mitigate potential risks, the FBI advises companies to restrict or completely block device code authentication flows using Conditional Access policies, audit existing device code usage, and prohibit authentication transfer policies that enable authentication sessions to transition between devices.
Impacted organizations are also encouraged to report incidents to the Internet Crime Complaint Center and preserve relevant evidence, including phishing emails, suspicious login information, and unauthorized device registrations.