Source CNBC TV18
The Federal Bureau of Investigation (FBI) has issued an urgent warning to organizations and individual Microsoft 365 users regarding a rapidly growing cyber threat known as Kali365.
Unlike conventional phishing campaigns that trick victims into typing out their passwords on lookalike websites, this new attack completely bypasses traditional password entry. Instead, it exploits legitimate cloud authorization features to walk right past Multi-Factor Authentication (MFA), giving hackers persistent, long-term access to corporate emails, files, and chat logs.
What is Kali365?
First observed in April 2026, Kali365 is a highly sophisticated Phishing-as-a-Service (PhaaS) platform. It is sold as a turnkey subscription model on Telegram channels, with packages ranging from $250 for a monthly pass to $2,000 for an annual lease.
Security researchers note that the toolkit lowers the barrier to entry for cybercrime. It equips lower-skilled hackers with an automated dashboard, real-time victim tracking, and polished, AI-generated email lures available in dozens of languages. It is heavily customized to mimic trusted corporate brands like Adobe, DocuSign, and Microsoft SharePoint.
How the Scam Works
The core mechanism of Kali365 relies on a technique called device code phishing. This exploits a legitimate OAuth authentication protocol designed for devices with limited input capabilities (like entering a code on your phone to log into Netflix on a smart TV).
Because the victim interacts entirely with genuine Microsoft infrastructure, standard security tools often fail to flag the threat. The attack unfolds in a highly coordinated sequence:
The Lure: The victim receives an AI-crafted email or Microsoft Teams message impersonating a legitimate service (e.g., an urgent document requiring a signature or a shared folder notification).
The Code: The message explicitly instructs the user to open a web browser, navigate to Microsoft’s official device pairing page ([login.microsoftonline.com/device](https://login.microsoftonline.com/device)), and enter a specific short code provided in the email.
The Trap: Because the URL is genuinely owned by Microsoft, the user’s guard drops. They log in with their normal credentials and complete their standard MFA prompt.
The Hijack: By entering the code, the user unknowingly authorizes the attacker’s external app to attach itself to their active session. Kali365 instantly intercepts and harvests the resulting OAuth “access tokens” and “refresh tokens.”
Why MFA Fails to Stop It: Multi-factor authentication is designed to prove who is logging in. Because the legitimate user successfully completes the MFA prompt on their own trusted device, Microsoft approves the request and issues the tokens. The attacker simply catches the tokens on the other end.
The Aftermath of an Attack
Once Kali365 captures these refresh tokens, the criminals gain steady, password-free access to the victim’s entire Microsoft 365 suite, including Outlook, OneDrive, and Teams. Cybercriminals have been observed using this access to:
Monitor and read enterprise emails in real-time.
Set up silent inbox rules to hide their presence and divert specific incoming messages.
Register new malicious devices inside the corporate network.
Send hyper-convincing phishing messages to coworkers, clients, and partners directly from the victim’s legitimate email address.
Furthermore, because these authentication tokens are linked to single sign-on (SSO) systems, the access can occasionally spill over into linked third-party corporate platforms like Salesforce or AWS.
How to Protect Your System
To mitigate the risks associated with device code phishing, security agencies and IT experts recommend taking immediate technical precautions:
Restrict Device Code Flows: Organizations should use Conditional Access policies within Microsoft Entra ID to severely limit or entirely block device code authentication across the enterprise, exempting only dedicated emergency access accounts.
Inspect Active Devices: Individual users should routinely audit their connected hardware by visiting [account.microsoft.com/devices](https://account.microsoft.com/devices) to verify and forcefully log out any unrecognized or suspicious active devices.
Educate Personnel: Security teams must emphasize to employees that they should never enter a randomly provided device code on a Microsoft page unless they explicitly initiated the login sequence themselves from an physical device in front of them.
