FBI warns of Kali365 phishing service targeting Microsoft 365 accounts

The FBI is warning about the Kali365 phishing-as-a-service (PhaaS) platform being used to hack Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass multi-factor authentication (MFA).

According to the FBI PSA, Kali365 first appeared in April 2026 and is being distributed through Telegram channels by hackers looking for an easy way to compromise Microsoft 365 accounts without stealing passwords or capturing MFA codes.

The platform uses phishing, an increasingly popular technique that abuses Microsoft’s OAuth 2.0 device authorization flow to gain access to Microsoft Entra and Microsoft 365 accounts.

This authentication method was created to allow devices with limited input capabilities, such as smart TVs, conference room systems, streaming devices, printers, and IoT devices, to authenticate with another device using a short code from Microsoft’s device code login portal,

In February, BleepingComputer reported that gangs, including the ShinyHunters cybercrime group, were targeting Microsoft Entra accounts for device code and phishing crimes.

In this attack, threat actors initiate the device authentication process themselves to generate code, then trick the target into entering the Microsoft login page through phishing and social engineering.

Once the victim enters the code and completes MFA, Microsoft issues an OAuth access token that gives the threat actor full access to their account without requiring them to resolve any MFA challenges.

Threat actors now have full access to all applications that a user normally accesses with their single sign-on account, including Microsoft 365, Salesforce, and any other cloud SaaS platforms, which are used to steal data.

The FBI warns that Kali365 gives even low-skilled attackers access to advanced phishing capabilities, including AI-generated phishing traps, automated campaign templates, real-time victim tracking dashboards, and token capture functionality.

Security researchers at Arctic Wolf reported on Kali365’s activity in April after witnessing a widespread campaign targeting organizations around the world.

Researchers say the campaigns focused on Microsoft 365 environments using phishing emails that directed victims to a Microsoft device login portal, where they unknowingly authorized attackers to access their accounts.

Researchers say the resulting attack gave hackers access to their mailboxes, where they created inbox rules designed to hide their activity.

In other attacks, the attackers also registered new devices in the victim’s Microsoft environment, and extended their access to the compromised network.

Arctic Wolf discovered that Kali365 operates like a business, with executives in charge of product development, resellers who promote the service to other threat actors, and affiliates who carry out phishing attacks.

Researchers say the platform offers two different attack modes, the first is phishing and the second is a man-in-the-middle (AitM) mode called “Cookie Link.”

Cookie Link proxies victims with an attacker-controlled infrastructure that captures authenticated browser sessions, session cookies, and tokens after the target logs in and resolves MFA challenges.

The FBI recommends that companies limit or completely block the flow of device code authentication using Conditional Access policies where possible, check the use of existing device code, and block authentication transfer policies that allow authentication sessions to flow between devices.

The agency also urged concerned organizations to report incidents to the Internet Crime Complaint Center and preserve phishing emails, suspicious login information, and unauthorized device registrations.

Device code phishing has seen widespread adoption in 2026, with some threat actors and platforms now using it as part of their phishing and attack campaigns.

These exploits include EvilTokens PhaaS and Tycoon2FA, which are also used to compromise Microsoft 365 and Entra accounts.