FBI warns of Kali365 phishing service targeting Microsoft 365 accounts

Recorded: May 25, 2026, 1 p.m.

Original

News

Featured
Latest

Microsoft warns of new Defender zero-days exploited in attacks

GitHub confirms breach of 3,800 repos via malicious VSCode extension

Hackers bypass SonicWall VPN MFA due to incomplete patching

Flipper One project needs community help to build open Linux platform

FBI warns of Kali365 phishing service targeting Microsoft 365 accounts

This $20 CISSP exam prep bundle covers all 8 domains

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

AdGuard’s lifetime ad blocker for nine devices is just $16

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityFBI warns of Kali365 phishing service targeting Microsoft 365 accounts

FBI warns of Kali365 phishing service targeting Microsoft 365 accounts

By Lawrence Abrams

May 25, 2026
08:45 AM
0

The FBI is warning about the Kali365 phishing-as-a-service platform (PhaaS) that is used to hijack Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass multi-factor authentication (MFA).
According to the FBI PSA, Kali365 first emerged in April 2026 and is distributed via Telegram channels for cybercriminals seeking an easier way to compromise Microsoft 365 accounts without stealing passwords or intercepting MFA codes.
The platform uses device code phishing, an increasingly popular method that abuses Microsoft's legitimate OAuth 2.0 Device Authorization grant flow to gain access to Microsoft Entra and Microsoft 365 accounts.
This authentication method was created to allow devices with limited input capabilities, such as smart TVs, conference room systems, streaming devices, printers, and IoT devices, to authenticate via another device using a short code at Microsoft's device code login portal, http://microsoft.com/devicelogin.

Device code authentication formSource: BleepingComputer
In February, BleepingComputer reported that extortion gangs, including the ShinyHunters cybercrime group, were targeting Microsoft Entra accounts via device-code and voice phishing.
In these attacks, threat actors initiate the device authorization process themselves to generate a code, then trick targets into entering it on Microsoft's login page via phishing and social engineering.
Once the victim enters the code and completes MFA, Microsoft issues an OAuth access token that grants the threat actor full access to their account without requiring them to solve any MFA challenges.
The threat actors now have full access to all applications the user normally has access to via their single-sign-on account, including Microsoft 365, Salesforce, or any other cloud SaaS platforms, which are then used to steal data.
The FBI warns that Kali365 gives even low-skilled attackers access to advanced phishing capabilities, including AI-generated phishing lures, automated campaign templates, real-time victim-tracking dashboards, and token-capture functionality.
Security researchers at Arctic Wolf reported on Kali365 activity in April after observing a widespread campaign targeting organizations worldwide.
The researchers said that the campaigns primarily targeted Microsoft 365 environments using phishing emails that directed victims to Microsoft's device code login portal, where they unknowingly authorized attackers to access their accounts.
The researchers said the resulting attacks gave the hackers access to their mailboxes, where they created malicious inbox rules designed to hide their activity.
In some of the attacks, attackers also registered new devices in victims' Microsoft environments, further extending their access to the breached network.
Arctic Wolf found that Kali365 operates as a business, with admins who manage product development, resellers who promote the service to other threat actors, and affiliates who conduct phishing attacks.
The researchers say the platform offers two separate attack modes, with the first being device code phishing and the second being an adversary-in-the-middle (AitM) mode named "Cookie Link."
Cookie Link proxies victims through attacker-controlled infrastructure that captures authenticated browser sessions, session cookies, and tokens after targets log in and solves MFA challenges.
The FBI recommends companies restrict or completely block device code authentication flows using Conditional Access policies where possible, audit existing device code usage, and block authentication transfer policies that allow authentication sessions to move between devices.
The agency also urged impacted organizations to report incidents to the Internet Crime Complaint Center and preserve phishing emails, suspicious login information, and unauthorized device registrations.
Device code phishing has seen widespread adoption in 2026, with other threat actors and platforms now using it as part of their phishing campaigns and attacks.
This adoption includes the EvilTokens PhaaS and Tycoon2FA, which are also using it to compromise Microsoft 365 and Entra accounts.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate.
Download Now

Related Articles:
FBI takedown of W3LL phishing service leads to developer arrestWhen attackers already have the keys, MFA is just another door to openWebinar tomorrow: Why security alone won't stop modern attacksFBI links cybercriminals to sharp surge in cargo theft attacksWebinar: From phishing to fallout — Why MSPs must rethink both security and recovery

Cybersecurity
Device Code
FBI
MFA
Phishing
Phishing-as-a-Service

Lawrence Abrams
Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.

Popular Stories

Ubiquiti patches three max severity UniFi OS vulnerabilities

Netherlands seizes 800 servers of hosting firm enabling cyberattacks

Trend Micro warns of Apex One zero-day exploited in the wild

Sponsor Posts

Overdue a password health-check? Audit your Active Directory for free

33% Rise in Healthcare Credential Theft in 2025: What you need to know

Patch management isn't enough. See why privilege is defining security risk today.

Protect Your Business from Ecommerce Fraud

Managing Shadow AI: 5 Steps to Secure Employee AI Use Without Killing Productivity

Upcoming Webinar

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

The Federal Bureau of Investigation has issued a warning regarding the Kali365 phishing-as-a-service platform (PhaaS), which is exploited to hijack Microsoft 365 accounts by leveraging OAuth device code authentication to steal session tokens and bypass multi-factor authentication (MFA). This platform emerged in April 2026 and is distributed through Telegram channels, providing cybercriminals with an established method to compromise Microsoft 365 accounts without needing to steal passwords or intercept MFA codes directly.

The core of the attack involves device code phishing, which abuses Microsoft's legitimate OAuth 2.0 Device Authorization grant flow. This flow was designed to allow limited-input devices, such as smart TVs, printers, and IoT devices, to authenticate via a short code on a portal like http://microsoft.com/devicelogin. Threat actors exploit this mechanism by initiating the device authorization process themselves to generate a code, subsequently tricking victims into entering this code on a phishing page. Once the victim provides the code and completes the MFA challenge, Microsoft issues an OAuth access token, which grants the threat actor comprehensive access to all applications linked to the user's single-sign-on account, including Microsoft 365 and other cloud SaaS platforms, allowing for bulk data theft.

Security researchers, including those at Arctic Wolf, observed widespread campaigns targeting Microsoft 365 environments where phishing emails directed victims to the device code login portal, thereby unknowingly authorizing the attackers. These attacks have extended beyond account access, with threat actors reportedly creating malicious inbox rules to hide activity and registering new devices in the victims' Microsoft environments, thereby expanding their access to the compromised network. The Kali365 platform is reported to operate as a business, involving admins managing product development, resellers promoting the service, and affiliates conducting the phishing attacks.

The platform offers two distinct attack modes. The first is device code phishing, and the second is an adversary-in-the-middle (AitM) mode named "Cookie Link," which functions by proxying victims through attacker-controlled infrastructure to capture authenticated browser sessions, session cookies, and tokens after users log in and complete MFA challenges. This capability grants even low-skilled attackers access to sophisticated phishing elements, such as AI-generated phishing lures, automated campaign templates, real-time victim tracking dashboards, and token capture functionality. Other threat actors are also utilizing device code phishing within this ecosystem, including platforms such as EvilTokens PhaaS and Tycoon2FA, to compromise Microsoft 365 and Entra accounts.

In response to this widespread adoption of device code phishing in 2026, the FBI advises organizations to implement specific security controls. Recommendations include restricting or completely blocking device code authentication flows using Conditional Access policies where feasible, auditing existing device code usage, and implementing authentication transfer policies that prevent sessions from moving between devices. Furthermore, impacted organizations are urged to report incidents to the Internet Crime Complaint Center and secure any phishing emails, suspicious login information, and unauthorized device registrations.