Microsoft 365 users are under attack from a sophisticated phishing-as-a-service platform called Kali365 that weaponizes the company’s own legitimate device-code authentication flow, the FBI confirmed in a May 2026 advisory. First detected in April 2026, the campaign tricks employees into entering a one-time code on Microsoft’s authentic login page, handing over perpetual account access to attackers without ever seeing a fake login form.

The warning highlights a dangerous evolution in phishing: rather than spoofing a sign-in page, Kali365 manipulates the real thing. Because the entire interaction happens on legitimate Microsoft domains, traditional link-scanning filters and even security-savvy users can be duped.

How Device-Code Phishing Works

Device-code authentication is a standard OAuth 2.0 flow designed for input-constrained devices. When a smart TV, IoT gadget, or shared meeting-room panel can’t display a browser, it shows a short code and instructs the user to visit https://microsoft.com/devicelogin on a phone or computer. After entering that code, the user signs in with their Microsoft credentials—right on Microsoft’s own page—and grants the device access. This flow is used by thousands of organizations daily for legitimate purposes.

Kali365 exploits this flow by initiating a device-code request as an attacker. The phishing-as-a-service platform automates the process: it obtains a valid user code and verification URL from Microsoft, then prompts the victim to go to the real Microsoft site and input the code. Instead of a fake login, the victim sees Microsoft’s genuine interface—complete with the correct URL, branding, and certificate. Once they authenticate and consent, the attacker receives access and refresh tokens, effectively hijacking the account.

“Because the user never enters credentials on a fake page, multi-factor authentication offers no protection,” explains the FBI’s Internet Crime Complaint Center (IC3) in its May 2026 public service announcement. “The attacker simply inherits the session tokens, which can be used for email access, data exfiltration, or lateral movement within an organization.”

The Phishing Flow in Detail

  1. Attacker initiates a device-code flow using a script or the Kali365 dashboard, receiving a user_code and verification_uri from Microsoft’s login.microsoftonline.com.
  2. The attacker crafts an email or message that looks like an IT notification: “Your Microsoft 365 account requires device enrollment. Please go to Microsoft’s device login page and enter code ABC123.”
  3. The victim, trusting the legitimate Microsoft URL, navigates to microsoft.com/devicelogin and enters the code.
  4. The victim signs in with their username, password, and MFA—completing the authentication on a real Microsoft page.
  5. Microsoft issues access and refresh tokens to the attacker’s device (since the attacker controls the initial device-code request).
  6. The attacker now has full access to the victim’s Microsoft 365 account, including email, OneDrive, SharePoint, and Teams, with tokens that can remain valid for hours or even days.

Kali365: Phishing-as-a-Service with a Twist

Kali365 isn’t just a one-off tool; it’s a commercial kit sold on underground forums, enabling even low-skilled threat actors to launch campaigns. According to the FBI advisory, the platform includes phishing templates, real-time dashboard monitoring, and token capture capabilities. It automates the entire device-code flow—from generating codes to proxying the authentication session to the victim and exfiltrating the tokens.

What sets Kali365 apart is its emulation of a legitimate help-desk or IT onboarding scenario. Attackers often send emails claiming, “Your company requires you to enroll this new device” or “Click here to connect your Microsoft 365 account to our secure mail app.” The victim, expecting a quick verification, visits the genuine Microsoft /devicelogin page and enters the provided code—unaware they are linking an attacker’s device. Because the page is real, browsers show the green lock icon and Microsoft’s verified certificate, leaving no visual cue of a scam.

Timeline of the Threat

  • April 2026: Security researchers first observe Kali365 being advertised on dark-web marketplaces and being used in targeted attacks against North American and European enterprises. Initial campaigns focus on financial services and healthcare organizations.
  • Early May 2026: Multiple Microsoft 365 tenants report suspicious device-code grants. Investigation reveals the common tooling of Kali365, including unique user-agent strings and IP addresses linked to bulletproof hosting.
  • Mid-May 2026: The FBI’s IC3 releases a public service announcement warning of the phishing scheme, specifically naming Kali365 as a “high-confidence” indicator of compromise. The PSA includes mitigation guidance and urges immediate reporting of incidents.
  • Ongoing: Microsoft has updated its Entra ID sign-in logs to flag anomalous device-code authentications, but the flow remains enabled by default for all tenants. Researchers continue to track new Kali365 campaigns across multiple verticals.

Why This Is So Dangerous

Traditional phishing simulates a login screen. It can be detected by mismatched domains, typos, or missing SSL certificates. But Kali365 sidesteps all that: the user interacts exclusively with “login.microsoftonline.com”. Even a vigilant employee who hovers over links and checks the URL will see a legitimate Microsoft address.

Moreover, MFA—the cornerstone of modern identity protection—is rendered useless. In a device-code attack, the user completes MFA themselves as part of the genuine login. The resulting session token is then transparently captured by the attacker. From Microsoft’s perspective, the login appears completely legitimate: a user authenticated with strong credentials and MFA from a trusted IP and device (since the token issuance is indistinguishable from a real session).

“This is not a flaw in Microsoft’s implementation,” notes the FBI advisory. “Device-code authentication is by design a user-consented flow. Attackers are simply abusing the intended functionality.”

Enterprise Impact

Organizations using Microsoft 365 face several tangible risks once an account is compromised via Kali365:

  • Persistent access: The stolen tokens often have extended validity—up to 90 days for refresh tokens in some configurations—allowing attackers to maintain access for weeks without re-authentication.
  • Email snooping and Business Email Compromise (BEC): Compromised accounts can be used to read sensitive correspondence, send internal phishing emails, or launch payment redirection schemes. Attackers can set up forwarding rules to siphon future messages.
  • OneDrive and SharePoint data theft: Access tokens grant entry to cloud storage, enabling download of entire document libraries, intellectual property, and customer data.
  • Lateral movement via Teams: Attackers can message colleagues, distribute malware, or request password resets from IT support, exploiting trust relationships.
  • Regulatory and compliance fallout: A data breach resulting from device-code phishing may violate HIPAA, GDPR, or PCI-DSS, leading to fines and reputation damage.

Cybersecurity firm Red Canary, in a separate analysis, noted that device-code attacks are particularly challenging to detect because they lack the typical fingerprints of a malicious login: no impossible travel, no suspicious IP, no unusual device. Only after deep analysis of non-interactive sign-in logs can security teams spot the initial device-code request originating from an unmanaged or unknown IP—often buried in noise.

How to Protect Your Organization

While no single defense is bulletproof, a combination of policy, monitoring, and education can dramatically reduce the risk from Kali365 and similar attacks.

1. Implement Conditional Access to Block or Restrict Device-Code Flow

Entra ID Conditional Access allows administrators to deny or restrict device-code authentication. A key policy is to block all device-code logins from unmanaged devices or outside trusted networks. However, this must be done carefully: many legitimate scenarios—such as shared meeting-room devices, IoT sensors, or industrial control systems—rely on this flow. Enterprises should first audit their usage via sign-in logs and then enforce:

  • Require device compliance or hybrid-join for all interactive sign-ins.
  • Block or limit the “device” authentication protocol in Conditional Access policies.
  • Use authentication strengths to mandate phishing-resistant MFA (e.g., FIDO2 or Windows Hello for Business) for high-risk logins.

Navigate to Microsoft Entra admin center → Protection → Conditional Access → New policy, target “All cloud apps,” and under “Conditions” select “Authentication flows.” Uncheck “Device code flow” to block all such attempts. For a more granular approach, apply the policy only to users or groups that do not require device-code authentication.

2. Educate Users on the Device-Code Tactic

Security awareness training must now include the device-code scenario. Employees should be taught that no legitimate IT department will ever send a code and ask them to enter it at microsoft.com/devicelogin unless they have specifically requested device enrollment. When in doubt, they should contact IT directly—not follow email instructions. Phishing simulations that include device-code lures can reinforce this training.

3. Monitor Sign-In Logs for Anomalous Device Grants

Microsoft Entra ID sign-in logs record device-code authentications under the “authentication protocol” field. Look for:

  • High number of device-code sign-ins from a single account or IP address.
  • Users who have never used device-code flow suddenly doing so.
  • Device-code requests originating from unfamiliar locations, ASNs, or anonymous proxies.
  • Successful sign-ins with unknown or newly created device IDs.

Use Kusto Query Language (KQL) in Microsoft Sentinel to create alerts:

SigninLogs
| where AuthenticationProtocol == \"deviceCode\"
| summarize Count = count() by UserPrincipalName, IPAddress
| where Count > 1

Integrate these findings with SOAR playbooks to automatically revoke sessions and notify admins.

4. Disable Legacy Authentication and Tighten Controls

While device-code flow is not “legacy” per se, many organizations already block legacy authentication via Conditional Access. Extend that block to include the device-code flow where not needed. In the same Conditional Access policy blade, use the “Client apps” condition to block “Mobile apps and desktop clients” that use old protocols, and pair it with the authentication flows condition.

5. Deploy Phishing-Resistant MFA

Although MFA won’t prevent device-code phishing itself, moving to FIDO2 security keys or certificate-based authentication raises the bar for token theft. If attackers can’t replay a passwordless credential, they may fail to complete the device-code consent if your tenant requires a stronger authentication method for device registration. Combine this with Authentication Contexts that require a higher assurance level for sensitive operations.

Microsoft’s Response

Microsoft has acknowledged the abuse of device-code flow in regular security updates. In a support article updated in early 2026, the company notes: “While device code flow is designed for legitimate scenarios, it can be misused in consent phishing attacks. We recommend reviewing your Conditional Access policies and using Authentication Contexts to protect sensitive actions.” However, Microsoft has not deprecated the feature because many commercial and industrial devices depend on it.

The FBI’s PSA directly addresses Microsoft 365 administrators: “If your organization does not use device-code authentication for legitimate business purposes, consider disabling it through Azure AD Conditional Access policies. If it is required, apply strict network and device compliance policies.”

The Bigger Picture: Phishing-as-a-Service Evolution

Kali365 is just one entry in a booming underground ecosystem. Phishing-as-a-service (PhaaS) platforms have drastically lowered the barrier to entry for cybercrime. For a few hundred dollars a month, criminals get turnkey kits that include phishing pages, proxy services to bypass MFA, and real-time token capture interfaces. Kali365’s innovation is its focus on device codes, a vector that has received less attention than adversary-in-the-middle (AitM) tools like Evilginx.

Security experts expect this trend to continue, with attackers chaining multiple OAuth flows to overcome new defenses. As Microsoft and other identity providers improve credential phishing detection, token theft—especially through legitimate flows—will become the dominant threat. Recent research shows a 300% increase in token replay attacks over the past year, and device-code abuse is a growing subset of that trend.

What’s Next

The FBI advises any organization that identifies suspicious device-code logins to review all accounts that successfully authenticated via that flow, reset their passwords, revoke associated session tokens, and conduct a full compromise assessment. Enterprises should also report incidents to the Internet Crime Complaint Center (IC3).

Meanwhile, the cybersecurity community is calling on Microsoft to provide more granular controls over device-code authentication—such as requiring an admin approval for each code, or allowing tenants to default-disable the flow entirely. For now, the burden rests on administrators to proactively lock down this increasingly exploited vector.

As phishing schemes grow more sophisticated, the lesson is clear: when attackers can leverage the very mechanisms designed to keep accounts safe, vigilance and proactive policy become the last line of defense. The Kali365 campaign serves as a stark reminder that the most dangerous threats often wear a trusted face—in this case, Microsoft’s own login screen. Organizations that wait for a vendor fix may find themselves nursing a breach that no MFA could have stopped.