The US Federal Bureau of Investigation (FBI) has issued an alert warning Microsoft 365 users about a rapidly emerging phishing campaign known as “Kali365”, a malicious platform that allows cybercriminals to gain access to accounts without stealing passwords and, in some cases, bypass multi-factor authentication (MFA).

The FBI described Kali365 as a “Phishing-as-a-Service” (PhaaS) platform that first surfaced in April 2026 and has primarily been distributed through Telegram channels. The platform is designed to help attackers capture Microsoft 365 access tokens, enabling them to access services such as Outlook, Teams and OneDrive without requiring victims’ passwords.

Security experts say the tool significantly lowers the barrier for cybercrime by providing AI-generated phishing messages, automated campaign templates and real-time dashboards that allow even relatively inexperienced attackers to conduct sophisticated phishing operations.

How the Kali365 Scam Works

Unlike conventional phishing attacks that direct users to fake websites, Kali365 exploits Microsoft’s legitimate device code authentication process.

According to the FBI, attackers send emails impersonating trusted cloud productivity or document-sharing services. The messages contain a device code and instructions directing recipients to Microsoft’s genuine device verification page. When users enter the code, they unknowingly authorise the attacker’s device to access their Microsoft 365 account.

Once the victim completes the authentication process, the attacker captures OAuth access and refresh tokens that provide ongoing access to Microsoft services. Because the victim has already completed MFA on Microsoft’s legitimate website, the attacker can bypass additional authentication challenges.

Cybersecurity researchers have warned that the technique is particularly dangerous because it relies on genuine Microsoft infrastructure, making it harder for users to identify fraudulent activity.

FBI Advises Stronger Security Controls

The FBI has urged organisations to restrict or disable device code authentication wherever possible and implement conditional access policies to block unauthorised device code flows. The agency also recommended auditing existing device code usage, monitoring login activity and reviewing authentication settings across Microsoft 365 environments.

Users have been advised not to enter device verification codes unless they initiated the login request themselves and to be cautious of unsolicited emails asking them to authenticate accounts or devices.

The FBI said individuals and organisations that suspect they have been targeted should immediately review account activity, revoke suspicious sessions and report incidents to the Internet Crime Complaint Center (IC3).

Cybersecurity experts warn that Kali365 represents a broader shift in phishing tactics, where attackers increasingly target authentication tokens rather than passwords, allowing them to evade traditional security protections and gain persistent access to cloud-based accounts.