FBI Warns: This Phishing Kit Breaks Into Microsoft 365 Accounts Without Stealing Your Password

You've done everything right. You set up multi-factor authentication on your Microsoft 365 accounts. You've trained your staff not to click suspicious links or type passwords into strange-looking websites. You're following the playbook.

And a new phishing platform doesn't care about any of it.

The FBI has issued a formal advisory warning about Kali365, a phishing-as-a-service platform that can hijack Microsoft 365 accounts without ever stealing a password — and bypasses multi-factor authentication in the process. For Yuba City small businesses that rely on Microsoft 365 for email, file storage, and team communication, this one deserves your full attention.

What Is Kali365?

Kali365 is a subscription-based toolkit sold to cybercriminals — including non-technical ones — that makes running sophisticated phishing campaigns as easy as signing up for a software subscription. According to The Record from Recorded Future News, the platform was first spotted in April 2026 and has been promoted primarily through Telegram.

The price? As low as $250 for 30 days, or $2,000 for a full year. For that, subscribers get:

• AI-generated phishing lures impersonating trusted services like Adobe, DocuSign, and SharePoint
• Automated campaign templates available in dozens of languages, layouts, and design themes
• Real-time dashboards for tracking targets
• OAuth token capture — the key capability that makes this attack so dangerous

Security researchers documented hundreds of Kali365 attacks in April alone, hitting organizations across North America and Europe. The common thread in every single attack? The victims had MFA enabled.

How the Attack Actually Works

This is where things get genuinely unsettling, because the attack doesn't rely on a fake website or a typo-squatted domain. It abuses a legitimate Microsoft feature called device code flow.

If you've ever logged into Netflix or Amazon Prime on a smart TV by typing a short code into your phone, you've used device code flow. It's the technology that lets one device "borrow" an authenticated session from another. Microsoft uses it so users can sign into 365 on a device that doesn't have a full browser.

Here's how Kali365 weaponizes it:

1. You receive a phishing email disguised as a message from a trusted cloud service — SharePoint, DocuSign, Adobe — asking you to verify something by visiting a Microsoft page and entering a short code.
2. You visit a genuine Microsoft domain. The URL is real. The SSL certificate is valid. Your password manager recognizes it correctly. There are no red flags.
3. You type in the code. You feel fine about it.
4. You have just authorized the attacker's device to access your account. Microsoft, following its own legitimate process, hands the criminal an OAuth token — proof that you authenticated — granting them full access to your Outlook, Teams, and OneDrive.

As Graham Cluley noted on Bitdefender's Hot for Security: "The criminals are never asked to answer an MFA challenge, because as far as Microsoft is concerned the victim already has."

No fake website to spot. No misspelled domain. No password stolen. The single captured token can unlock multiple cloud apps and be shared with others and reused — meaning one employee's mistake can become a wide-ranging security incident.

Incident responders at Arctic Wolf also found that after capturing tokens, attackers in some cases created malicious inbox rules to suppress security notification emails — quietly extending the time they could operate inside the account undetected.

What Your Business Should Do Right Now

MFA is still worth having — it stops a huge range of attacks. But Kali365 is a reminder that MFA alone isn't a complete security strategy. Here's what actually helps against this specific threat:

1. Block Device Code Flow in Microsoft Entra ID

This is the FBI's top recommendation. If your organization doesn't have a legitimate need for device code flow (most small businesses don't), create a Conditional Access policy in Microsoft Entra ID to block it outright. If you're unsure how to do this, it's worth a conversation with your IT provider. Just make sure to exclude emergency access accounts so you don't accidentally lock yourself out.

2. Roll Out Phishing-Resistant MFA

Standard MFA (SMS codes, authenticator app push notifications) doesn't protect against this attack. Hardware security keys — physical devices that tie authentication to something you physically hold — are far harder to circumvent because they require the actual key to be present. The FBI advisory specifically recommends phishing-resistant MFA as a countermeasure.

3. Train Your Staff on This Specific Scenario

General phishing training ("don't click suspicious links") won't help here, because the link goes to a real Microsoft page. Your team needs to understand one clear rule: if an email asks you to enter a code on any website — even a legitimate one — verify the request through a completely separate channel before doing it. Call the person. Use Slack. Don't just trust the email.

This is especially important for employees who handle finances, HR data, or have admin access to your 365 environment.

4. Review OAuth Token Permissions Regularly

Inside your Microsoft 365 admin center, you can review third-party app permissions and connected OAuth tokens. Make it a habit to audit what has access to your environment. Revoke anything unfamiliar.

5. Enable Audit Logging and Monitor for Anomalies

Arctic Wolf noted that attackers set up inbox rules to hide their activity. Turn on unified audit logging in Microsoft 365 and watch for unusual inbox rules, unexpected forwarding configurations, or logins from unfamiliar geographic locations.

6. Know Where to Report

If your organization is affected, the FBI's Internet Crime Complaint Center at ic3.gov is the right place to file a report.

The Bigger Picture

Kali365 is part of a broader trend: cybercrime is professionalizing. Platforms like this lower the barrier to entry so dramatically that even people with zero technical background can run enterprise-grade attacks against small businesses. Cybersecurity firms Proofpoint, IBM, and Huntress all noted in April that Kali365 isn't alone — there are multiple similar platforms offering the same capabilities.

For small businesses in particular, the risk is real. You don't need to be a high-profile target. You just need to be in someone's email list.

If you're not sure whether your Microsoft 365 environment is configured to block device code flow, or you want help auditing your OAuth permissions and reviewing your conditional access policies, our /business IT services are available to walk through that with you — no pressure, just practical help.

The technology is doing its job. The gap is in knowing which legitimate features attackers are now turning against you.

If you believe your Microsoft 365 account has been compromised, report it to the FBI at ic3.gov and contact your IT provider immediately.