FBI Warns: ‘Kali365’ Phishing Service Targets Microsoft 365 Accounts

The FBI warns of Kali365, a phishing-as-a-service first seen in April 2026 that abuses Microsoft’s OAuth device code authentication flow to capture access and refresh tokens and bypass MFA, enabling persistent access to Microsoft 365 services (Outlook, Teams, OneDrive). Distributed via Telegram and leveraging AI-generated lures, automated templates, and real-time victim tracking, Kali365 tricks users into entering device codes on legitimate Microsoft pages so attackers can link sessions to attacker-controlled devices; security firms observed mailbox access, malicious inbox rules, and registered devices. The FBI recommends auditing or restricting device code flow via Conditional Access, blocking authentication transfer policies, reviewing suspicious sessions and preserving phishing artifacts, and reporting incidents to law enforcement.