The FBI is warning Microsoft 365 users to be careful when signing in. A new scam based on the Kali365 phishing-as-a-service-platform bypasses multifactor authentication (MFA) by tricking Microsoft users into approving legitimate Microsoft logins.
Hackers are exploiting a system put in place by Microsoft to enable MFA for hardware for limited input, such as streaming media players and smart TVs. The hackers begin the authentication process and use phishing of social engineering to engage users into entering a short device code on a real Microsoft website. After the user enters the code, the Microsoft system opens an access token and allows the perpetrators hijack accounts without completing the MFA solutions.
Additionally, hackers can use browser cookies to steer the user through an infrastructure they control and forward the request to a real Microsoft login page. There will be no obvious signs of hijacking.
This move gives hackers access to apps and information linked to Microsoft 365 accounts, including Outlook emails, OneDrive files, and third-party tools. Additionally, they can register new devices at will. Some attackers have used Outlook to mask the behavior by using custom mailbox rules.
Arctic Wolf security researchers detailed the attacks in April 2026 and noted that some of the dangers of Kali365 comes from the ease of use. It is a simple task to create AI-generated phishing templates, lures, and victim tacking systems. According to the FBI warning, even “less-technical” hackers can employ serious damage.
The majority of the people abusing Kali365 share it through secure Telegram chats, according to the FBI and Arctic Wolf.
Protect Microsoft 365 Accounts
Keep an eye out for certain email subject lines.
- SharePoint – Document Shared: {sender_name] shared a file with you
- OneDrive – File Shared: {sender_name} shared “Document” with you
- Teams – New Message: {sender_name} sent a message in [[company]]
- Microsoft 365 – Voicemail: Voicemail from {sender_name} – [[date]]
- DocuSign – Signature Required: {sender_name} requested your signature
- Invoice Notification: Invoice #INV-[[date]] for [[company]]
- Adobe Acrobat Sign – Agreement: Action required: [[company]] agreement from {sender_name}
- Account Security Notification: Account notification for [[email]]
The lures typically involve Excel, PowerPoint, PDF, and Word files. There are also numerous layouts and design themes that look plausible.
According to the FBI, IT managers can block unnecessary device codes. Security experts recommend excluding emergency accounts from device codes to avoid lockouts.
Device code-based hijackings are increasingly common and are not limited to Kali365. EvilTokens and Tycoon2FA and other phishing services are used to attack Microsoft 365, according to Bleeping Computer. One cannot make the assumption scams will be obvious.
“Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” the FBI says.
To mitigate the threat of Kali365, the FBI recommends users do the following:
- Restrict device code flow thus limiting device authentication codes;
- Create conditional access to block device code flow for all users with limited exceptions for required business processes;
- Block authentication transfer policies to prevent the transfer on authentication from a computer to a mobile device;
- Exclude emergency access accounts to prevent lockouts.
How It Works
A phishing email that impersonates trusted cloud or document sharing-sharing services with a device code and instructions to visit a legitimate Microsoft verification page.
Once the user enters the code, the attacker’s device is authorized. Then, the attacker gains OAuth access and refresh tokens, giving him/her continuous access to Microsoft 365 services, such as Teams, Outlook, and OneDrive without needing a password or additional MFA prompts.
The FBI included in its announcement several tips for users and organizations to protect themselves from device code phishing devices.
Telegram-Based Phishing Services
Recently, researchers identified EvilTokens, which is another PhaaS platform sold through Telegram.
This service allows less experienced hackers tools that are ready-made for phishing campaigns, which includes fake login pages, AI-generated emails, and Microsoft API automation.
It also has templates built around common business notifications like SharePoint access requests, password expiration messages, and shared document alerts.
Barracuda Networks reports the most common phishing themes in 2025 encouraged users to click on links, scan QR codes, open attachments, or hand over personal information.
Sources:
How to Geek: Hackers are using real Microsoft login pages to steal accounts, the FBI warns
Infosecurity Magazine: FBI Warns ‘Kali365’ Phishing Kit Hijacks Microsoft 365 OAuth Tokens
Help Net Security: Microsoft 365 users targeted by new phishing threat that bypasses MFA
Featured Image Courtesy of HS You’s Flickr Page – Creative Commons License
Discover more from Guardian Liberty Voice
Subscribe to get the latest posts sent to your email.