MICROSOFT 365
FBI’s Kali365 Warning Puts Microsoft Admins on the Hook
The FBI’s May 21 public service announcement told Microsoft account holders to do four things to shut down a phishing kit called Kali365. Read the fine print and a gap opens up: all four fixes live inside a corporate admin console, and the attack itself slips past the one defense most people trust, multi-factor authentication (MFA, the second-step login check like a code or app prompt).
Kali365 surfaced in April, sold over the messaging app Telegram, and it does not need your password to reach your inbox. It needs you to copy one short code into a genuine Microsoft sign-in page. That single action hands an attacker the keys.
What Kali365 Is and Why the FBI Flagged It
Kali365 is a phishing-as-a-service kit, meaning a ready-made attack platform rented out to criminals who could never build one themselves. The Federal Bureau of Investigation (FBI) described it in an advisory on the Kali365 phishing-as-a-service kit as a tool that captures Microsoft 365 access tokens and hijacks accounts across Outlook, Teams and OneDrive.
The selling point for buyers is convenience. The kit bundles AI-generated phishing emails, automated campaign templates, a live dashboard for tracking targeted people in real time, and the machinery to grab login tokens once a victim takes the bait. None of it requires coding skill.
The numbers underneath the warning explain why security teams paid attention this time.
- 15 minutes: the window a Microsoft device code stays valid once it is generated, per Microsoft’s own analysis.
- Up to 90 days: the default lifespan of the refresh token an attacker walks away with, long enough to keep returning quietly.
- More than 340: Microsoft 365 organizations hit by device code phishing tracked by the Cloud Security Alliance, an industry security nonprofit.
How Device Code Phishing Walks Past Your Password and MFA
Device code flow is a real Microsoft feature, built so you can sign a TV, a printer or a Teams meeting-room screen into your account by typing a short code on a phone or laptop instead of a full keyboard. Kali365 turns that convenience against you, and the steps are short enough to fit in a single email exchange.
- A phishing email arrives looking like a document share or meeting invite and tells you to enter a code on a Microsoft page.
- You visit the real
microsoft.comverification page, which is exactly why nothing looks off. - You type in the code, pass your normal login and MFA prompt, and think you are done.
- Behind the scenes that code belonged to the attacker’s session, so Microsoft issues the access and refresh tokens to them.
That is the part the headlines underplayed. The attacker gets in without your password and without triggering a fresh second-factor prompt, because you already cleared MFA on their behalf. A stolen token is a valid token, and it survives a password reset.
The Four FBI Steps Are Built for Tenant Admins
The advice itself is sound. The catch is who can carry it out. Every one of the FBI’s four steps lives inside the Microsoft 365 admin center, in a tool called Conditional Access that ordinary account holders never see and cannot touch.
Conditional Access sits in Microsoft Entra ID, the identity system that controls who signs in and how. Creating policies there needs an administrator role. If you are a single user with a personal Outlook account or a staff member without admin rights, none of these four actions is available to you.
| FBI recommendation | What it does | Who can do it |
|---|---|---|
| Block device code flow for all users | Stops the login method the attack relies on | Conditional Access admin |
| Audit existing device code usage | Finds legitimate uses before switching it off | Conditional Access admin |
| Block authentication transfer between devices | Stops a session being passed computer to phone | Conditional Access admin |
| Exclude emergency access accounts | Prevents locking yourself out of the tenant | Conditional Access admin |
Microsoft published step-by-step guidance on blocking authentication flows in Entra ID for exactly this reason. For most organizations that never use device code flow, the company already auto-applied a managed blocking policy under its Secure Future Initiative, so the protection may be switched on without anyone lifting a finger.
This Is the Third Act of a Pattern Running Since 2024
Device code phishing did not arrive with Kali365. The technique went mainstream in February 2025, when Microsoft detailed a device code phishing campaign run by Storm-2372, a threat group it assesses as aligned with Russian interests. That operation, active since August 2024, posed as Microsoft Teams meeting invites and went after governments, NGOs, defense, telecoms and energy targets across Europe, North America, Africa and the Middle East.
The next escalation came this April. In its breakdown of an AI-enabled device code phishing campaign, Microsoft tied a wave of attacks to a kit it tracked as EvilTokens and called it a clear step up in sophistication. The clever twist was timing: instead of mailing out a code that expires before anyone clicks, the kit generates the code at the moment the victim hits the link, keeping it live through that tight window.
Microsoft has not stayed quiet about who is profiting from this.
Microsoft is actively working to disrupt the cybercriminal ecosystems behind phishing-as-a-service and account takeover activity to protect our customers.
That statement, from a Microsoft spokesperson responding to the FBI bulletin, frames Kali365 as one product in a rental market rather than a lone tool. Kill one kit and the next is already listed for sale, which is why the company leans on built-in defaults instead of waiting for users to react.
What an Everyday Microsoft Account Holder Can Do
If you cannot reach Conditional Access, you are not defenseless. The single most useful habit is treating any code-entry request as suspect, because a legitimate service almost never emails you a code and asks you to paste it somewhere on its behalf.
- Never enter a device code you did not personally request, even on a real Microsoft page.
- Check the active sessions and registered devices in your Microsoft account security settings, and sign out anything you do not recognize.
- Switch on phishing-resistant sign-in such as a passkey or the Microsoft Authenticator app rather than relying on codes alone.
- Keep your operating system and apps patched, and avoid opening files from senders you do not know.
- If a workplace account is involved, report the email to your IT team so an admin can apply the policy fixes you cannot.
The FBI also asks anyone who suspects a compromise to file a report at its Internet Crime Complaint Center with the phishing email, suspicious login details and any unfamiliar device names attached.
Frequently Asked Questions
What Is Kali365?
Kali365 is a phishing-as-a-service kit, first seen in April 2026 and sold over Telegram, that steals Microsoft 365 login tokens to take over accounts. It packages AI-written phishing emails, campaign templates and a real-time target dashboard so buyers need no technical skill of their own.
Does Multi-Factor Authentication Stop a Kali365 Attack?
No, and that is the core problem. The attack waits until after you pass your own MFA prompt, then collects the access and refresh tokens Microsoft issues, so the attacker reuses a session you already approved rather than facing a second-factor challenge of their own.
Can a Regular Microsoft Account Holder Follow the FBI’s Four Steps?
Not directly. All four steps require Conditional Access, an administrator tool inside Microsoft Entra ID. Individual users and most staff members can ask an IT admin to apply them but cannot create the policies themselves.
How Do I Know if My Microsoft 365 Account Was Compromised?
Check your account’s recent sign-in activity, active sessions and registered devices for anything unfamiliar, and watch for inbox rules you did not create, since attackers often add rules to hide or forward mail after breaking in.
What Should I Do if I Entered a Device Code From a Suspicious Email?
Sign out of all active sessions immediately, reset your password, review your account’s connected devices and inbox rules, and report the incident to your IT team and the FBI’s Internet Crime Complaint Center at ic3.gov.
KB5089573 Fixes Windows 11’s Patch Tuesday Reboot Fail
Drug Dealer Simulator 2 Bets on 60 FPS for Xbox Series S
Anthropic Hits $965B, and Microsoft Profits Either Way
Snowflake’s 34% Surge Pushes Cortex AI Into Microsoft 365
Microsoft Teams Efficiency Mode Targets Low-End Office PCs
FBI’s Kali365 Warning Puts Microsoft Admins on the Hook
Steins;Gate Re:Boot Launches First on Xbox and PC August 20
CISA Sets June 3 Deadline for Two of Six Defender Zero-Days
Ragnarok Console Project Joins Korea’s RPG Push to Xbox
Microsoft Says It’s Working to End Windows 11’s Account Mandate
Microsoft’s Copilot Super App Chases Its Own 450M Base
Windows 11 Low Latency Profile Lands in KB5089573 Update
Microsoft 365 Copilot Redesign Bets Big on In-App Adoption
GTA 6’s Xbox Title ID Surfaces in Microsoft’s Backend
Microsoft Build 2026 Skips Windows 12 for the AI Bet That Counts
MicrosoftSystem64 Malware Hides Stolen Data Inside HuggingFace
The Cat in the Hat: Rainy Day Mayhem Hits Consoles Oct 30
Bevaya Lands Insurance AI Agents Inside Teams and Outlook
Obsidian Splits The Outer Worlds Free Upgrade by Platform
Gravastar Bets a Decade on Fighting-Game JRPG Combat
-
MICROSOFT 3657 days agoMicrosoft’s Copilot Super App Chases Its Own 450M Base
-
NEWS1 week agoWindows 11 Low Latency Profile Lands in KB5089573 Update
-
MICROSOFT 3651 week agoMicrosoft 365 Copilot Redesign Bets Big on In-App Adoption
-
NEWS1 week agoGTA 6’s Xbox Title ID Surfaces in Microsoft’s Backend
-
NEWS1 week agoMicrosoft Build 2026 Skips Windows 12 for the AI Bet That Counts
-
NEWS1 week agoMicrosoftSystem64 Malware Hides Stolen Data Inside HuggingFace
-
NEWS1 week agoThe Cat in the Hat: Rainy Day Mayhem Hits Consoles Oct 30
-
NEWS7 days agoBevaya Lands Insurance AI Agents Inside Teams and Outlook