The FBI does not issue a public service announcement about a single phishing kit very often. When it does, it is worth stopping to pay attention. In May 2026, the Bureau did exactly that. It warned organisations and individuals about a new threat called Kali365, and the warning carries real weight.
Kali365 is dangerous for a simple reason. It does not break your password. It does not steal the one-time code from your phone. Instead, it tricks the victim into handing over something far more valuable. It walks past multi-factor authentication as if the protection were never there.
For years, businesses have been told that MFA is the single most important control they can switch on. That advice is still sound. But Kali365 is a sharp reminder that no control is a silver bullet. Attackers adapt. This blog explains how the attack works, why it is so hard to spot, and what your organisation should do about it.
Kali365 is a phishing-as-a-service platform. In plain terms, it is a criminal toolkit sold by subscription. The people behind it have done the hard work of building the attack. Less skilled criminals simply pay to use it.
This subscription model matters more than it might first appear. It lowers the barrier to entry. An attacker no longer needs deep technical skill to run a convincing campaign against Microsoft 365 users. They get AI-generated phishing lures, ready-made campaign templates, and a live dashboard that tracks their targets in real time. They also get the one feature that makes this kit so effective. It captures OAuth tokens.
The platform was first observed in April 2026. It has been distributed through Telegram, which has become a popular marketplace for this kind of criminal service. The result is a polished, scalable attack that almost anyone can rent.
The clever part of Kali365 is that it abuses a genuine Microsoft feature. It does not rely on a fake login page or a lookalike website. It uses the real thing. The feature in question is the "device code" sign-in flow. Microsoft built this for devices that are awkward to type on, such as smart TVs, printers, and shared kiosks. The device shows you a short code. You then go to a genuine Microsoft page on your phone or laptop and enter that code to approve the sign-in. It is a legitimate and useful process.
Here is how the attackers turn it against you.
First, the attacker starts a login on their own machine. Microsoft responds by generating a short device code, exactly as designed. The attacker now has a valid code that needs approving.
Second, the attacker sends a phishing email to your staff. The message is built to look like a document share, a Teams invitation, or some other trusted notification. It includes the device code and a polite instruction. It asks the user to "verify" or "view the document" by entering the code on Microsoft's verification page.
Third, the victim does as asked. They visit the genuine Microsoft page at microsoft.com/devicelogin and enter the code. Because the page is real and the address is correct, nothing feels wrong. There is no dodgy URL to spot. There is no spelling mistake to catch. The page is completely authentic.
The moment that code is approved, the trap closes. Microsoft hands the attacker's device a valid set of OAuth access and refresh tokens. These tokens are what Microsoft uses to remember that someone has already logged in. With them in hand, the attacker is now inside the account. They are past the password. They are past MFA. And they did not need either one.
Most phishing relies on something looking wrong. A strange sender address. A suspicious link. A login page that is almost, but not quite, right. Trained staff learn to spot these tells.
Kali365 removes nearly all of them. The victim is sent to a real Microsoft page. The action they take, entering a code, is a completely legitimate one. From Microsoft's point of view, nothing suspicious has happened. A valid user entered a valid code and approved a valid sign-in.
This is why no security alert fires. The system is not being tricked in a technical sense. It is doing precisely what it was built to do. That is also what makes the attack so quiet after the fact.
Once attackers hold the refresh token, they can keep their access alive for a long time. They do not need to log in again and again. They can sit inside the account and blend in with normal activity. In practice, this means they can read Outlook emails for weeks. They can open files in OneDrive and SharePoint. They can send fresh phishing emails to colleagues and customers from a trusted internal account. Worst of all, they can read password reset messages, which opens the door to even more accounts.
It would be a mistake to think of this as purely a corporate IT problem. Early reporting focused on attacks against organisations. The underlying technique, however, works just as well against an individual.
Anyone with an Outlook inbox, a OneDrive folder, or a Microsoft 365 subscription is a potential target. The kit does not care whether you are a global enterprise or a single user. If you can be persuaded to enter a code on a real Microsoft page, you can be compromised.
For businesses, the risk is amplified. A single compromised mailbox can become the launch pad for attacks against the wider organisation. Suppliers, customers, and partners can all be drawn in. One careless click can quickly become a much larger incident.
Awareness is the starting point, but it is not the whole answer. Kali365 succeeds because a legitimate process is being abused. Defending against it needs a mix of staff vigilance, technical controls, and tested response. Here is where we would focus.
Brief your staff on this specific scam, and do it now. The core message is short and memorable. If you did not start a login yourself, never enter or approve a code, no matter how genuine the page looks. Most defences fail because people were never told what to watch for. A short, clear briefing closes that gap. At Cyber Management Alliance, our cyber security awareness training is built to land exactly this kind of practical message with non-technical staff, so the lesson sticks long after the session ends.
Make it safe and simple for people to report a mistake. Staff need to feel they can put their hand up the moment they suspect they have slipped. Early reporting can turn a serious breach into a near miss. A culture where people stay silent out of fear is a culture that loses time it cannot afford. Speed of reporting is part of speed of response, and the two together decide how bad an incident becomes.
Restrict the device code flow if your business does not rely on it. This is the FBI's own headline recommendation, and it is a strong one. IT teams can use a Conditional Access policy in Microsoft Entra to block the device code flow for most users. Genuine use cases, such as kiosks or shared devices, can be allowed as carefully managed exceptions. Before switching anything off, audit where the flow is currently used so legitimate work is not disrupted.
Review your sessions and sign-in logs regularly. Look for unfamiliar devices and unexpected locations. Because this attack grants long-lived access, spotting and revoking a rogue session early can shut an intruder out before real damage is done. This kind of monitoring should be part of routine security hygiene, not a one-off check after something has gone wrong.
Test your response before you need it. This last point is the one most organisations skip, and it is the one that matters most. Knowing about a threat is not the same as being ready for it.
A scenario like Kali365 is exactly the kind of fast-moving incident that exposes gaps in a plan that has never been rehearsed. Our cyber tabletop exercises put your team through realistic scenarios in a safe setting, so the first time they face a token-theft incident is not during a live crisis. Where deeper preparation is needed, our NCSC-Assured Cyber Incident Planning and Response training and our incident response playbook creation and review workshops give your people a tested, repeatable way to act when it counts.
Kali365 is a clever attack, but the principle behind it is an old one. Attackers will always look for the gap between a control and the human being using it. MFA stops a stolen password. It does not stop a person who is persuaded to approve something they should not.
This is why technology alone has never been enough. The organisations that come through incidents like these in good shape are not the ones who were never targeted. They are the ones who prepared. They trained their people. They tightened their controls. And they tested their response before the day it mattered.
At Cyber Management Alliance, that is the work we do every day. We help organisations build, improve, and optimise their entire cyber incident response capability, so they can detect intruders accurately and respond to business-impacting attacks at speed. If Kali365 has prompted a difficult question inside your organisation about how ready you really are, that is a conversation worth having now rather than later.