A plug-and-play phishing kit called Kali365 is quietly turning Microsoft 365 logins into a gold mine for criminals, according to a new FBI warning. The toolkit lets attackers hijack Outlook, Teams and OneDrive accounts even when multi-factor authentication (MFA) is turned on, by tricking victims into completing a legitimate Microsoft device login that actually authorizes the attacker instead.
Here is how the con works in plain terms: victims are lured into entering a short device code at Microsoft’s real verification page. Once they do, the resulting session is linked to the attacker, not the user. With that, criminals can grab OAuth access and refresh tokens that stay valid long enough to read email, pull files and fire off extremely convincing internal phishing from inside the compromised tenant.
In a May 21 public service announcement, the FBI said Kali365, first spotted in April, is spreading largely through Telegram and bundles AI-generated lures, prebuilt campaign templates and token-capture dashboards that let even low-skilled crooks run industrial-scale phishing operations, according to IC3. Because the victim completes a real Microsoft device login, the resulting tokens can be reused without any password or extra MFA prompts. The FBI is urging organizations to audit where device codes are used, restrict or block device-code authentication flows, and preserve evidence if a compromise is suspected.
Security researchers at Arctic Wolf tracked a major April wave that relied on the Kali365 control panel and saw attackers creating stealthy inbox rules and registering new devices to stay hidden and maintain access, as Arctic Wolf Labs reports. The firm tied activity to shared infrastructure and said the kit supports both device-code attacks and classic adversary-in-the-middle session theft. Victims ran the gamut from manufacturing and education to healthcare, finance and government, a reminder that this is not just a big-corporate IT headache.
How IT Teams Can Lock Down Entra ID
Microsoft’s own admin guidance tells defenders to start by building a Conditional Access policy that blocks the device-code flow for everyone except narrowly defined exception groups, then test it in report-only mode before actually enforcing it, with explicit exclusions for emergency break-glass accounts so admins do not lock themselves out, according to Microsoft. Teams should also block authentication transfer, comb sign-in logs for deviceCode protocol events and immediately revoke any suspicious OAuth grants. Those steps shrink the attack surface while blue teams look for post-compromise clues such as odd inbox rules, unexpected forwarding and newly registered or unfamiliar devices.
Simple Steps For Users
On the user side, the biggest tell is an out-of-the-blue message asking you to head to microsoft.com/devicelogin and punch in a code. If you did not start that sign-in yourself, treat it like a fire alarm and do not enter the code, Malwarebytes advises. Users should routinely review logged-in devices, sign out any they do not recognize, check for new or strange inbox rules, and report anything suspicious to IT or their provider. Revoking active sessions and rotating credentials can cut off stolen tokens before attackers can reuse them. The usual hygiene still matters: keep systems updated, be wary of surprise attachments and actually take that security training your company keeps assigning.
Why This Is Different and Dangerous
Kali365 is especially nasty because it weaponizes a legitimate convenience feature and then sells the whole operation as a service, lowering the bar for would-be attackers. The FBI and independent researchers have highlighted the kit’s use of AI-generated lures, affiliate-style dashboards and token-sharing options that let multiple operators keep accounts on a short leash without ever learning the victim’s password, according to TechRadar. With that persistent access, threat actors can quietly scrape contacts, watch ongoing email threads for business email compromise opportunities and pivot deeper into connected systems.
If you suspect your Microsoft 365 account has been taken over, do not just change your password and move on. Preserve the original phishing emails, full headers and any unusual login information, and file a complaint with the Internet Crime Complaint Center; the FBI’s public notice spells out what evidence to collect and how to submit it, per IC3. For consumer-friendly walkthroughs on spotting scams and regaining control of accounts, Microsoft Support offers step-by-step guides on protecting identities and reporting fraud. For tenant admins, the priority is clear: lock down those Conditional Access policies and watch Entra sign-in logs for suspicious device-code activity so any breach can be caught and contained fast.
