A subscription-based phishing kit called Kali365 can bypass two-factor authentication entirely. Here's how it works and how to protect yourself. The FBI has issued an urgent public warning about a rapidly spreading cyberattack tool that can break into Microsoft 365 accounts, including Outlook, Teams and OneDrive, without ever needing the account holder's password or triggering a two-factor authentication alert.
The FBI's Internet Crime Complaint Center (IC3) issued Public Service Announcement I-052126-PSA on May 21, warning about a Phishing-as-a-Service platform called Kali365, first seen in April 2026. The tool is sold through Telegram as a criminal subscription product for as little as $250 for 30 days.
The targets span a broad range of sectors. The campaign has hit manufacturing, education, insurance, financial, healthcare and government organisations.
What makes Kali365 different
Most phishing attacks work by tricking people into handing over their usernames and passwords on a fake login page. Kali365 does not work that way, and that is what makes it dangerous.
Kali365 enables cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication protocols without intercepting the user's credentials.
Instead, it exploits a legitimate Microsoft authentication feature called the OAuth device code flow, where attackers trick users into logging into their accounts through a legitimate authentication flow and then steal their access and refresh tokens.
The platform lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities.
How the attack works: step-by-step
The FBI has laid out exactly how Kali365 operates, in four stages:
Step 1: An attacker sends a phishing email impersonating trusted cloud productivity and document-sharing services. The email contains a device code with instructions to visit a legitimate Microsoft verification page and enter the code.
Step 2: The targeted individual navigates to the real Microsoft page and pastes in the device code, unknowingly authorizing the attacker's device to access their account.
Step 3: The attacker captures OAuth access and refresh tokens, granting them access to the targeted individual's Microsoft 365 account.
Step 4: The attacker can now access Microsoft 365 services such as Outlook, Teams and OneDrive without needing a password or completing any additional MFA challenges.
In short: the victim logs in normally on a real Microsoft page and unknowingly hands the keys to an attacker.
What to watch out for
- Unexpected emails appearing to come from Microsoft or cloud document-sharing services asking you to visit a verification page and enter a code
- Emails urging urgency around account verification or document access
- Login alerts or active sessions you do not recognise in your Microsoft account
- Unfamiliar devices appearing in your account's registered device list
- Inbox rules you did not create, particularly those forwarding or deleting messages automatically
How to protect yourself: FBI's official tips
The FBI's IC3 advisory recommends the following steps, sourced directly from PSA I-052126-PSA:
- Block device code flow: Create a conditional access policy to block device authentication codes for all users, with limited exceptions only for essential business processes.
- Audit first: Before applying a blanket block, audit existing device code flow usage to identify any legitimate dependencies to avoid disrupting business operations.
- Block authentication transfer: Apply policies to prevent users from transferring authentication sessions from computers to mobile devices.
- Protect emergency accounts: If device code flow cannot be fully restricted, exclude emergency access accounts from the policy to prevent lockouts.
The FBI also directs users to the Cybersecurity and Infrastructure Security Agency's (CISA) Phishing Guidance document for additional best practices.
If you have been affected
If the Kali365 phishing kit has impacted you or someone you know, file a complaint with the Internet Crime Complaint Center at ic3.gov. Include any available information such as phishing emails (header and body), suspicious logins (time, IP address, location), and any unauthorised devices or active sessions added to the account.
