The Kali365 phishing attack has become one of the most concerning cybersecurity threats of 2026, prompting the FBI to issue an urgent public warning. According to the latest alert, this phishing-as-a-service (PhaaS) platform is being actively used by cybercriminals to hijack Microsoft 365 accounts. Even more troubling, the attackers don’t need to steal passwords or intercept multi-factor authentication (MFA) codes — they simply exploit Microsoft’s own legitimate authentication features to take over accounts.

This emerging threat reveals just how sophisticated modern phishing campaigns have become, with attackers turning trusted system functions into powerful weapons against unsuspecting users and businesses.

A Dangerous New Threat Emerges in 2026

According to the FBI’s Public Service Announcement, Kali365 first surfaced in April 2026 and quickly spread through Telegram channels frequented by cybercriminals. Designed as a turn-key platform, it offers attackers a streamlined method to compromise Microsoft 365 accounts without the usual technical complexity of phishing campaigns.

The most alarming feature of Kali365 is its ability to bypass MFA — a security measure that millions of organizations rely on to protect sensitive accounts. By exploiting Microsoft’s legitimate OAuth 2.0 Device Authorization flow, attackers gain access to Microsoft Entra and Microsoft 365 environments with relative ease.

How Device Code Phishing Works

To understand the danger of Kali365, it helps to first understand what device code phishing is and why it is so effective.

Microsoft’s OAuth 2.0 Device Authorization grant was originally designed for devices that have limited input capabilities. This includes:

• Smart TVs
• Conference room systems
• Streaming devices
• Printers
• Internet of Things (IoT) devices

These devices can authenticate by displaying a short code, which users then enter on Microsoft’s login portal at microsoft.com/devicelogin from another, more user-friendly device.

While this system was created to simplify life for users, attackers have figured out how to exploit it. By generating a legitimate device code themselves, attackers can trick victims into entering that code into Microsoft’s real login portal — effectively granting the attacker full access to the victim’s account.

Once the victim authenticates and completes MFA, Microsoft issues a real OAuth access token. This token gives the attacker full control of the account, with no further MFA challenges required.

Why This Attack Is So Effective

The success of this technique lies in its simplicity. Because the phishing process leverages Microsoft’s own systems, traditional security tools often fail to recognize the activity as malicious. The victim believes they are logging into a legitimate Microsoft service — and they technically are — but they are unknowingly granting an attacker access at the same time.

Once inside the account, attackers can pivot quickly. Single sign-on (SSO) capabilities mean they often gain access to other connected platforms, such as:

• Microsoft 365 services
• Salesforce
• SharePoint
• OneDrive
• Other cloud-based SaaS tools

This wide reach makes device code phishing particularly devastating for organizations that rely on integrated cloud environments.

Kali365: Phishing as a Business

The FBI’s warning highlights something deeply troubling about Kali365. It isn’t just another tool — it is a fully developed, business-style operation. Security researchers at Arctic Wolf, who began tracking the platform in April 2026, describe Kali365 as a structured criminal enterprise with multiple roles, including:

• Administrators who manage and develop the platform
• Resellers who promote it to other cybercriminals
• Affiliates who carry out the actual phishing campaigns

This professionalization of cybercrime means that even attackers with very limited technical skills can launch sophisticated phishing operations. Kali365 reportedly offers a wide range of advanced features, including:

• AI-generated phishing lures
• Automated campaign templates
• Real-time dashboards to track victims
• Token-capture functionality
• Pre-built phishing kits ready to deploy

These features lower the barrier to entry significantly, opening the door for a much larger pool of potential attackers.

How the Attacks Unfold in the Real World

Arctic Wolf’s research outlined the typical attack pattern used by Kali365 affiliates. In most cases, victims receive a phishing email that appears to come from a trusted source. The email leads them to Microsoft’s device code login portal, where they are tricked into entering a code provided by the attacker.

Once authenticated, attackers gain:

• Full access to the victim’s mailbox
• The ability to create malicious inbox rules
• The chance to register new devices on the victim’s Microsoft environment

The malicious inbox rules are typically designed to hide attacker activity. For example, incoming emails related to security alerts or password changes may be automatically deleted or marked as read.

In some cases, attackers register new devices within the compromised Microsoft account. This step further extends their reach into the breached network and helps them maintain long-term access.

Two Attack Modes Inside Kali365

Kali365 reportedly offers users two distinct attack methods:

1. Device Code Phishing

This is the primary method described above. It abuses OAuth 2.0 device authorization to steal access tokens without needing to capture user credentials directly.

2. Cookie Link (Adversary-in-the-Middle)

The second method, called Cookie Link, is an adversary-in-the-middle (AitM) approach. In this mode, victims are routed through attacker-controlled infrastructure, which captures:

• Authenticated browser sessions
• Session cookies
• OAuth tokens issued after MFA challenges

This means that even if a victim completes MFA successfully, the attacker still walks away with usable access to the account. AitM attacks have become a growing concern in 2026 due to their ability to defeat traditional MFA protections.

Why MFA Alone Is No Longer Enough

For years, MFA has been considered one of the most effective tools for protecting online accounts. However, the rise of token-stealing phishing platforms like Kali365 has revealed serious limitations.

When attackers steal authentication tokens, they do not need to bypass MFA at all. The system has already validated the user, so the stolen token is treated as legitimate. This is why organizations must now look beyond MFA and adopt more advanced defense strategies.

How Companies Can Defend Themselves

The FBI and security researchers have provided several recommendations to help organizations defend against the rising threat of device code phishing.

Strengthen Authentication Policies

• Restrict or completely block device code authentication flows when not needed
• Use Conditional Access policies to apply granular control
• Disable authentication transfer between devices where possible

Audit and Monitor Account Activity

• Regularly audit existing device code usage
• Monitor for unusual login patterns or unexpected device registrations
• Watch for suspicious inbox rules that may indicate account compromise

Educate Employees and Users

• Train staff to recognize phishing emails and suspicious requests
• Make users aware that legitimate services rarely ask them to enter codes during unsolicited interactions
• Reinforce a culture of cautious clicking and verification

Report Incidents Promptly

The FBI urges affected organizations to:

• Report incidents to the Internet Crime Complaint Center (IC3)
• Preserve phishing emails, login data, and unauthorized device registration logs
• Coordinate closely with cybersecurity professionals during investigations

Device Code Phishing Is Spreading Fast

Kali365 isn’t the only platform leveraging device code phishing. In 2026, several other phishing-as-a-service platforms have adopted similar techniques, including:

• EvilTokens PhaaS
• Tycoon2FA

These platforms also target Microsoft 365 and Entra accounts, making device code phishing one of the most widely adopted attack methods of the year.

A Broader Shift in the Cyber Threat Landscape

The rise of Kali365 reflects a major shift in how cybercriminals operate. Rather than focusing on brute-force attacks or stealing passwords, attackers are increasingly exploiting:

• Legitimate authentication systems
• Trusted platforms and brands
• Human psychology and social engineering
• Token theft instead of credential theft

This evolution makes cyberattacks harder to detect and faster to execute. It also reinforces the urgent need for organizations to adopt zero-trust security frameworks, advanced threat detection, and continuous user education.

What End Users Should Watch For

While organizations bear the responsibility for system-level defenses, individual users also play a crucial role. Some warning signs to watch for include:

• Unexpected emails asking you to verify or sign in to your Microsoft account
• Unfamiliar prompts asking you to enter a code at microsoft.com/devicelogin
• Notifications about new devices added to your Microsoft account
• Strange inbox rules that automatically forward or delete emails
• Sudden logout events or unexplained MFA prompts

If anything seems unusual, users should report it immediately to their IT or security team.

Final Thoughts

The FBI’s warning about the Kali365 phishing attack is a clear signal that the cybersecurity landscape is evolving rapidly. By exploiting Microsoft’s own authentication systems, attackers have found a way to bypass MFA and gain deep access to sensitive cloud environments — all while staying under the radar of traditional defenses.

For organizations, this means rethinking authentication strategies, auditing user behavior, and embracing a stronger zero-trust approach. For users, it means staying alert and questioning anything that feels off, even when it appears to come from familiar services like Microsoft.

As cybercriminal platforms continue to evolve into structured, business-like operations, the line between attacker and defender will only get sharper. Protecting your digital identity in 2026 isn’t just about strong passwords or MFA anymore — it’s about understanding how attackers think, and staying one step ahead.