FBI Warns Kali365 PhaaS Steals Microsoft 365 Tokens at Scale

The FBI issued a public warning about Kali365, a phishing-as-a-service platform that has rapidly gained traction among cybercriminals since emerging in April 2026. The platform enables OAuth token theft from Microsoft 365 accounts—completely bypassing multi-factor authentication. This represents yet another challenge to social engineering defenses that organizations have built around credential protection.

FBI PSA I-052126-PSA describes Kali365 as lowering the barrier for less-technical attackers to execute sophisticated credential-harvesting campaigns. At $250 per month or $2,000 annually, it's priced for volume operators.

How Kali365 Bypasses MFA

Kali365 exploits the OAuth device code flow—a legitimate Microsoft authentication mechanism designed for devices without browsers, like smart TVs or IoT hardware. The attack works in four stages:

1. Phishing email arrives impersonating a Microsoft service (SharePoint, Teams, OneDrive)
2. Device code is provided with instructions to visit a legitimate Microsoft verification page
3. Victim authenticates normally, entering the code and completing MFA challenges
4. Token captured — the attacker's pre-authorized application receives the victim's OAuth tokens

The key insight: victims visit the real Microsoft login page and complete real MFA. Nothing looks suspicious because it isn't—until you realize you just authorized an attacker's application to access your account.

Once captured, these tokens provide persistent access to Outlook, Teams, OneDrive, and other M365 services without requiring passwords or additional authentication. Attackers can read emails, exfiltrate files, and pivot to further compromise—all while the victim remains unaware. We've seen this technique deployed at scale, including in the Microsoft Exchange zero-day campaign targeting Outlook Web Access sessions.

Why This Platform Stands Out

Kali365 packages several capabilities that collectively enable sophisticated campaigns without technical expertise:

• AI-generated phishing templates — convincing lures that adapt to target context
• Automated campaign deployment — schedule and launch attacks with minimal manual work
• Real-time tracking dashboards — monitor which victims have opened emails and completed authentication
• OAuth token capture — the actual credential harvest, delivered directly to operators

Arctic Wolf Labs researchers who analyzed the platform noted that it has been primarily distributed via Telegram, following the model of other successful phishing-as-a-service operations.

Connection to Device Code Phishing Surge

Kali365's emergence coincides with a broader increase in device code phishing attacks. We've tracked accelerating device code phishing activity throughout 2026, with daily successful compromises now measured in the thousands.

The technique isn't new—security researchers have warned about OAuth device code abuse for years—but the commoditization through platforms like Kali365 has democratized access to the attack vector. What once required custom tooling and technical skill now requires a credit card and a Telegram account.

Defensive Recommendations

The FBI's advisory includes specific mitigations that organizations should implement immediately:

1. Create conditional access policies that block or restrict device code flow authentication
2. Audit existing device code usage to identify legitimate use cases before blocking
3. Block authentication transfer policies where not operationally required
4. Exclude emergency access accounts from any restrictions to prevent lockout
5. Train users to recognize device code phishing attempts

Microsoft provides documentation on restricting device code flow through Conditional Access policies. Organizations that don't need this authentication method for legitimate purposes should block it entirely.

Reporting

The FBI requests that victims and targets report incidents to www.ic3.gov with details including:

• Suspicious emails with device codes
• Unauthorized logins or account activity
• Phishing URLs and sender information

Early reporting helps law enforcement track campaigns and potentially disrupt infrastructure. Given the scale Kali365 enables, collective visibility across targets matters more than usual.

Why This Matters

MFA was supposed to be the solution to credential theft. Device code phishing represents a fundamental challenge to that assumption—it doesn't break MFA, it works around it entirely by tricking users into authenticating legitimate sessions on behalf of attackers.

The commoditization through Kali365 means this technique is now accessible to anyone willing to pay $250. Expect volume to increase as more operators discover they can bypass MFA without writing a line of code. For defenders, blocking device code flow where possible is no longer optional—it's table stakes.