The FBI issued an urgent warning to Microsoft 365 administrators on May 21, 2026, detailing a sophisticated phishing-as-a-service operation known as Kali365 that exploits Microsoft’s device-code authentication flow to silently hijack corporate accounts. This campaign marks a sharp escalation in OAuth token theft, allowing attackers to bypass multifactor authentication entirely and maintain persistent access to sensitive data across Outlook, Teams, SharePoint, and OneDrive.

Kali365 is not a lone exploit but a commercialized phishing kit sold on underground forums, complete with web panels that simulate legitimate Microsoft login pages and automated backends that capture tokens in real time. The FBI’s alert, distributed through its Cyber Division and the Internet Crime Complaint Center (IC3), underscores the growing threat facing organizations that have not locked down the device-code flow—a lesser-known but increasingly abused entry point in the identity attack chain.

Anatomy of a Device‑Code Phishing Attack

Device‑code authentication is intended for input‑constrained devices—smart TVs, IoT gadgets, or CLI tools—that lack a full browser. The flow works by displaying a short alphanumeric code and a URL (e.g., https://microsoft.com/devicelogin). The user navigates to that URL on a secondary device, enters the code, and authenticates. The original device polls Microsoft’s servers and eventually receives an OAuth token tied to the authenticated user.

Kali365 hijacks this legitimate process with deceptive precision. An attacker first programmatically initiates a device‑code request to the Microsoft identity platform, obtaining a user_code and a verification_uri. The attacker then crafts an email, SMS, or instant message—often disguised as an IT department notice or a SharePoint collaboration invite—instructing the target to visit the Microsoft device login page and enter the provided code.

What the victim sees is a genuine Microsoft login interface; the URL is authentic, the TLS certificate is valid, and the entire sequence happens on Microsoft’s own infrastructure. Because no malicious domain or credential‑harvesting page is involved, traditional phishing filters and secure email gateways rarely flag the message. Once the victim completes sign‑in—often using a second factor—the attacker’s polling device receives a full OAuth 2.0 access token and refresh token. From that moment, the attacker can access every Microsoft 365 resource that the user is entitled to, without ever seeing or stealing a password.

“Device‑code phishing is particularly dangerous because it completely circumvents MFA,” explained a Microsoft security researcher in a recent advisory. “The token is issued after the user successfully authenticates—MFA included—so the attacker enjoys the same trust level as the legitimate owner.”

Inside the Kali365 Phishing‑as‑a‑Service Ecosystem

Kali365 commoditizes this technique into a turnkey service. The kit comprises three core components:

  • A command‑and‑control (C2) dashboard that orchestrates campaigns, tracks active sessions, and manages obtained tokens.
  • A token capture engine that continuously polls the Microsoft OAuth endpoint and logs successful authentications.
  • A phishing template generator that creates convincing lure emails mimicking SharePoint alerts, Teams meeting invites, or voicemail notifications.

Prices on dark web forums range from $500 for a one‑month rental to $2,500 for a perpetual license with support and updates. The FBI noted that Kali365 operators also offer a “managed service” tier, where they conduct the attack end‑to‑end for a cut of the proceeds—typically 20% of any extortion or data‑theft profit.

The low barrier to entry has fueled a surge in incidents. According to the FBI alert, the Internet Crime Complaint Center received over 300 reports tied to device‑code phishing in the first quarter of 2026 alone, with losses exceeding $18 million. Those numbers likely undercount the true scope, as many organizations detect the breach only when data exfiltration or lateral movement is already underway.

Real‑World Impact: From Token Theft to Total Compromise

Once an attacker holds a valid OAuth token, the damage cascades quickly. The token grants access to the victim’s email, calendar, contacts, and files. Attackers often start by searching mailboxes for financial data, credentials in chat logs, or password‑reset emails. With the “Full Access” token scope that Kali365 requests by default, they can read, write, and forward messages, create inbox rules to conceal their activity, and download entire SharePoint document libraries.

In one case detailed by the FBI, a mid‑sized manufacturing firm fell victim after a finance manager received a WhatsApp message purporting to be from the company’s MSP. The message contained a device‑code and a link to microsoft.com/devicelogin, presented as a mandatory security update. Within minutes of the manager authenticating, the Kali365 operator gained persistent access to the finance team’s shared mailbox and a SharePoint site containing wire‑transfer instructions. The attacker injected a fraudulent invoice redirecting $240,000 to a mule account before the security team noticed the anomaly.

Because the authentication event was legitimate—the user logged in from their own IP address, passed MFA, and the token was issued by Microsoft—standard identity protection alerts in Azure Active Directory (now Microsoft Entra ID) remained silent. The breach was discovered only when the CFO queried the unexpected outbound transfer two days later.

Microsoft’s Authentication Architecture Under the Microscope

Microsoft has long provided guidance on securing device‑code flow, but many organizations remain unaware that the feature is enabled by default for any Azure AD tenant that does not explicitly block it. The device_code grant type is part of the OAuth 2.0 Device Authorization Grant (RFC 8628) and is supported by the Microsoft identity platform for personal Microsoft accounts and work/school accounts.

Critically, there is no tenant‑wide admin toggle to disable device‑code flow through the Azure portal—it must be blocked using Conditional Access policies or by configuring authentication methods in the Microsoft Graph API. This creates a disconnect: administrators who follow basic security hygiene often assume that standard “block legacy authentication” controls cover the risk, but device‑code flow is not considered legacy authentication. It uses modern OAuth 2.0 and therefore sails right through.

Microsoft’s own documentation warns that “the device authorization grant is intended for devices that can’t use a browser or have limited input capabilities,” and recommends that organizations “block the device code flow using Conditional Access policies when not needed.” Yet the FBI noted that fewer than 12% of Microsoft 365 tenants have implemented such policies, even among Fortune 500 companies.

FBI Recommendations and Immediate Mitigations

The FBI’s alert included a list of actionable steps for network defenders:

  1. Audit device‑code flow usage. Use Azure AD sign‑in logs to search for the device_code grant type. Filter by Application ID 04b07795-8ddb-461a-bbee-02f9e1bf7b46 (the first‑party Microsoft Azure CLI application, often used in phishing) and look for suspicious geographic patterns.
  2. Block device‑code flow where not required. Implement a Conditional Access policy targeting the grant type device_code and set the control to “Block access.” Exclude devices or service accounts that legitimately use the flow only after rigorous review.
  3. Restrict the default “Microsoft Azure CLI” application. This widely available app is frequently abused because it requests broad permissions. Create an app‑specific Conditional Access policy that blocks the Azure CLI application ID (04b07795-8ddb-461a-bbee-02f9e1bf7b46) for all users who do not need it.
  4. Enhance token security. Enable Continuous Access Evaluation (CAE) to shorten token lifetime, and use Entra ID’s token protection policies to bind tokens to a specific device.
  5. Educate users. Train staff to recognize the device‑code login prompt and to report any unexpected request to enter a code at microsoft.com/devicelogin.
  6. Monitor for anomalous token usage. Inspect Unified Audit Logs for unfamiliar application IDs accessing mailboxes or SharePoint sites, and set up alerts when a known phishing app identifier (such as the Kali365 C2 panel’s client ID) appears.

The FBI also urged victims to report incidents to IC3, noting that rapid reporting can help trace the infrastructure and prevent further damage. The full Private Industry Notification (PIN) was distributed to Information Sharing and Analysis Centers (ISACs) and is available on the FBI’s Protected Voice internet portal for vetted partners.

Why This Attack Bypasses Traditional Defenses

Kali365’s success highlights a fundamental weakness in perimeter‑based security models. Because the entire authentication transaction occurs on Microsoft’s servers, no phishing link is embedded in the lure email. URL rewriting services such as Safe Links see a legitimate Microsoft URL. DMARC, DKIM, and SPF checks on the sender’s domain are irrelevant if the attacker uses a compromised internal account or a look‑alike domain that already passes email authentication.

Multi‑factor authentication—often hailed as the silver bullet against credential phishing—provides no barrier here. The token is minted only after the user successfully completes MFA, so the attacker effectively piggybacks on that completed authentication. Even phishing‑resistant MFA like FIDO2 security keys do not stop the attack because the user is authenticating to the legitimate Microsoft service, not to a fake page.

This forces organizations to shift from a “verify the user” mindset to a “verify the device and the intent” mindset. Conditional Access policies that evaluate device compliance, sign‑in risk, and continuous access evaluation become the primary defense, but they require mature identity governance and a clear understanding of modern authentication flows.

The Bigger Picture: OAuth Token Theft Is the New Credential Theft

Kali365 is part of a broader trend in which cybercriminals are moving away from password stealing and toward token theft. Last year, Microsoft reported a 147% increase in token replay attacks, and the 2025 Verizon Data Breach Investigations Report noted that the use of stolen credentials and tokens overtook phishing as the top initial access vector for the first time.

The appeal is clear: tokens provide seamless access to multiple applications, often with elevated permissions, and they can remain valid for days or weeks if refresh tokens are abused. Furthermore, token theft leaves a much lighter forensic footprint than brute‑forcing or credential stuffing, making it harder for SOC teams to detect.

Kali365’s emergence as a phishing‑as‑a‑service kit accelerates this shift. With the technical heavy lifting abstracted behind a slick web interface, even low‑skilled attackers can launch campaigns. The kit’s operators handle the infrastructure, token capture, and even provide after‑action reports, while the customers simply supply a target list and a lure template.

What Organizations Can Do Right Now

For IT and security leaders, the Kali365 alert is a call to action that extends beyond a single phishing kit. The following steps will not only mitigate device‑code phishing but also strengthen the broader identity posture:

  • Inventory all OAuth applications in use. Review the Azure AD Enterprise Applications list and remove or restrict any app that requests excessive permissions. Pay special attention to first‑party Microsoft apps like Azure CLI and PowerShell that are often used in device‑code attacks.
  • Implement risk‑based Conditional Access. Require compliant devices and low‑risk sign‑in for all cloud applications. Combine user risk and sign‑in risk signals from Entra ID Protection to automatically block suspicious token requests.
  • Adopt the principle of least privilege. Review and right‑size permissions granted to service principals and user consent. Deny user consent to unverified publishers and block the “Users can consent to apps accessing company data on their behalf” setting.
  • Deploy token‑theft detection tools. Solutions like Microsoft Defender for Cloud Apps can detect unusual token activity, such as a token being used from a geo‑improbable location shortly after issuance.
  • Run tabletop exercises. Simulate a device‑code phishing attack against your own tenant to test detective controls and incident response playbooks. Use the open‑source “TokenTactics” or “AADInternals” tools in a controlled environment to mimic Kali365’s behavior.

The Road Ahead

Microsoft has yet to announce any platform‑level changes in response to the Kali365 alert, but the company is under increasing pressure from enterprise customers to provide a tenant‑wide device‑code block toggle and to make device‑code authentication an opt‑in feature rather than opt‑out. In the meantime, the FBI’s proactive warning serves as a rare public glimpse into an attack vector that many organizations have overlooked.

As workforces increasingly rely on cloud collaboration and mobile devices, the line between “trusted” and “untrusted” authentication flows will continue to blur. The Kali365 phishing kit is unlikely to be the last—or the most sophisticated—abuse of legitimate OAuth mechanics. Defenders must adapt now by treating tokens with the same scrutiny as passwords and by architecting identity systems that verify context continuously, not just at the moment of login.

The FBI’s message is unambiguous: if your organization hasn’t locked down the device‑code flow, assume it is already being exploited. The window between token theft and catastrophic data loss is measured in minutes, not hours.