The FBI’s Internet Crime Complaint Center (IC3) issued an urgent alert in May 2026 about Kali365, a newly identified phishing‑as‑a‑service platform that is systematically hijacking Microsoft 365 accounts by abusing the OAuth device‑code authentication flow. Unlike traditional credential‑harvesting attacks that can be stopped by multi‑factor authentication, Kali365 tricks users into granting full access tokens to the attacker, sidestepping the very MFA protections organizations have spent years rolling out. First spotted in April 2026, the platform has already been linked to multiple intrusions targeting government agencies, financial services firms, and healthcare organizations across North America and Europe, making it one of the most dangerous phishing tools seen since the infamous evil‑nginx proxy kits.

The FBI’s warning underscores a hard truth for security teams: the OAuth 2.0 device authorization grant, designed to let input‑constrained devices like smart TVs and IoT gadgets sign in securely, can be repurposed by attackers to obtain tokens that represent an authenticated user—without ever capturing a password. This isn’t a zero‑day vulnerability. It’s a feature working exactly as documented, yet its abuse leaves many organizations completely blind because typical security tools focus on credential‑based or email‑based phishing, not on real‑time token theft that occurs via a legitimate Microsoft authentication endpoint.

Understanding the OAuth device code flow

The device code flow, standardized in RFC 8628, was created for devices that lack a browser or have a limited input interface. When a user wants to sign into an app on such a device, the app first calls Microsoft’s identity platform with a client ID and receives a device code and a user code. It then prompts the user to visit microsoft.com/devicelogin on a separate browser‑capable device and enter the short user code. The user authenticates and grants consent, and the app polls silently until it receives an access token and, optionally, a refresh token.

This flow is secure in its intended scenario because the user is physically present at the device and initiates the login. The threat actor’s insight is that the user code and the microsoft.com/devicelogin URL can be presented to the victim via a phishing page or email, tricking them into performing the authentication step themselves. Because the victim uses their legitimate browser session—complete with any existing cookies, MFA approvals, and Conditional Access policies that rely on browser‑based interactions—the resulting token is indistinguishable from one the attacker would obtain if they were the user.

How Kali365 weaponizes the device code flow

Kali365 operates as a turnkey phishing‑as‑a‑service offering. Attackers subscribe to the platform, customize a lure (often a fake Microsoft login page themed around a SharePoint file share, a Teams invite, or a OneDrive document), and launch a campaign. Here is the typical attack chain observed by researchers and detailed in the IC3 alert:

  1. Delivery: The victim receives a sophisticated email containing a link to a weaponized page hosted on Kali365 infrastructure. The email may mimic internal IT notifications, colleague file‑sharing requests, or vendor invoices.
  2. Redirection to Microsoft’s legitimate device login page: Instead of presenting a mocked‑up credential form, the phishing page automatically triggers a device code request to Microsoft’s /oauth2/v2.0/devicecode endpoint using a legitimate Azure AD application registered by the attacker. Within seconds, the page displays the user code and instructs the victim to visit microsoft.com/devicelogin to “verify your identity” or “access the document.”
  3. Victim performs the authentication: Believing they are following a standard Microsoft verification step, the victim types the code. Because they are accessing the authentic Microsoft domain, their browser communicates directly with Azure AD, including any session cookies, MFA challenges, and Conditional Access evaluations. The victim completes MFA and grants consent to the attacker’s app.
  4. Token hand‑over: The Kali365 backend polls the device code endpoint and receives a fresh access token and refresh token. These tokens can now be used to access the victim’s email, OneDrive, Teams chats, and other services depending on the scopes requested.
  5. Persistence and lateral movement: Attackers often request scopes like offline_access, Mail.Read, Files.ReadWrite.All, and User.Read to ensure long‑term access. Because the attacker holds a refresh token, they can maintain persistence even after the user changes their password, as long as the application remains consented.

A particularly insidious aspect of Kali365 is that it uses automated tooling to register new Azure AD applications on the fly, each with slightly different display names and publisher domains, making it difficult for security teams to spot a single malicious app. The platform also rotates its own infrastructure, routing traffic through compromised virtual private servers and using domain generation algorithms to stay ahead of blocklists.

Why MFA isn’t enough in this attack

Multi‑factor authentication remains the single most effective control against credential stuffing and bulk phishing. However, device code phishing subverts MFA because the attacker never handles the user’s password or interacts with the MFA prompt directly. The victim completes the MFA challenge on the real Microsoft site as part of a legitimate OAuth flow. From Azure AD’s perspective, the sign‑in event appears to originate from a browser using a previous session—all the expected signals are present: the correct IP, a valid MFA claim, and sometimes even a compliant device posture if the victim authenticates from a managed workstation.

This technique exposes the inherent limitation of any MFA solution that relies on user intent verification at the time of initial authentication. Once a user has approved an MFA prompt for a legitimate‑looking request, the resulting token carries the full authority of that user. Attackers are not “bypassing” MFA in the cryptographic sense; they are tricking the user into performing the MFA step for them. In the security community, this is known as a token replay or consent phishing attack, and Kali365 has industrialized it.

Scale and impact of the Kali365 campaign

The IC3 report places the first active Kali365 campaigns in early April 2026. Over the following six weeks, the FBI tracked more than 2,300 phishing domains associated with the platform, targeting victims in at least 18 countries. Victims include large enterprises, state and local government bodies, and small businesses using Microsoft 365. In several documented cases, attackers used stolen tokens to download entire SharePoint libraries, exfiltrate executive emails, and establish persistent mail flow rules that forward sensitive messages externally.

Because the attack leverages a legitimate Microsoft flow, detection rates have been alarmingly low. A survey conducted by an incident response firm cited in the FBI notice found that 72% of organizations breached via Kali365 discovered the intrusion only after data exfiltration was complete. Standard SIEM rules hunting for impossible travel or suspicious IP sign‑ins often missed the activity because the sign‑in events were attributed to the victim’s own IP address and browser.

How to detect and block device code phishing

Defending against Kali365 requires a layered strategy that blends user education, identity configuration hardening, and robust monitoring. Security teams should immediately implement the following measures:

  • Disable the device code flow if it isn’t needed: The device code grant is rarely required in a typical enterprise. Azure AD and Entra ID allow administrators to block this authentication method entirely via authentication methods policies or authentication flows policies. A blanket disable removes the attack surface, though organizations using devices that rely on it (e.g., certain mobile apps tested on desktop emulators, meeting room equipment, or legacy services) must first identify legitimate use cases.
  • Use Conditional Access to block or tightly control device code authentications: If disabling the flow outright isn’t feasible, create a Conditional Access policy that targets the “device code” grant type. Signal details include the client app type (Browser for the user’s side, but the underlying grant can be restricted). More importantly, enforce authentication strengths that require phishing‑resistant MFA methods like FIDO2 security keys or certificate‑based authentication. Conditional Access can also require a compliant device, which is much harder for a remote attacker to simulate, though this won’t help if the victim is on a compliant device.
  • Leverage authentication context for high‑risk applications: Azure AD allows associating policies with specific authentication contexts. If an attacker registers a new multi‑tenant application, you can force it through a Conditional Access policy that demands step‑up authentication or blocks it outright if it hasn’t been pre‑approved.
  • Monitor Azure AD sign‑in logs for device code events: In Microsoft Entra ID, sign‑in logs capture the authentication protocol used. Filter for “device code” to reveal all such events. Look for anomalies like a sudden surge in device code authentications from a specific user, device codes being redeemed shortly after a phishing campaign was reported, or device code flows from IP ranges or browsers not typically associated with IoT devices.
  • Review application consent grants regularly: Kali365 inserts attacker‑controlled apps into the victim’s tenant. A weekly audit of Azure AD enterprise applications—especially those with high permissions—can flag suspicious apps. Pay attention to apps with publisher domains that don’t match the expected organization, apps with very generic descriptions, and apps requesting broad Mail and Files scopes.
  • Implement App Governance add‑on features: Microsoft 365 organizations with E5 or appropriate Defender for Cloud Apps licensing can use App Governance to detect anomalous app behavior, such as rapid data download patterns or app access from unusual geolocations.
  • Educate users about the microsoft.com/devicelogin page: Most users have never seen the device login page. Train them that unless they are explicitly setting up a new TV or IoT device, any request to visit that URL and enter a code is a scam. Include this in annual phishing awareness courses and send simulated device code phishing campaigns to measure susceptibility.

Microsoft’s response and enhancements

Despite the inherent design of the device code flow, Microsoft has implemented several defenses that can blunt the impact of tools like Kali365. The identity protection stack in Entra ID can evaluate user risk and sign‑in risk in real time, and organizations can configure risk‑based Conditional Access policies. Additionally, the introduction of authentication strength policies allows admins to mandate phishing‑resistant MFA for specific grant types.

Microsoft also improved defender detection logic for this attack pattern. Microsoft 365 Defender and Microsoft Sentinel now include analytics rules that surface suspicious device code flows, particularly when the redemption IP differs from the user’s normal patterns or when a flurry of device code requests precedes a consent grant to a previously unseen application. These detections, however, require the appropriate licensing tier and careful tuning.

The company’s threat intelligence team has been issuing takedown requests against Kali365 domains, but the platform’s distributed and agile architecture—along with its payment model that operates via cryptocurrency—makes enforcement difficult. The FBI’s alert includes recommendations that align with Microsoft’s security best practices, and both organizations stress that organizations cannot rely on MFA alone to stop token‑based phishing.

The bigger picture: phishing‑as‑a‑service evolution

Kali365 is not the first platform to abuse OAuth flows, but its sophistication and turnkey nature represent an alarming trend. Phishing kits have moved far beyond static credential‑harvesting pages; they now automate the entire token‑acquisition chain, handle captchas, and even integrate with chat‑based command‑and‑control. By abstracting the technical complexity, these services open the door for lower‑skilled criminals to execute advanced attacks that would previously have required deep knowledge of OAuth and Azure AD internals.

The commercialisation of such platforms also accelerates attack velocity. In a world where a fresh campaign can be launched with a few configuration tweaks, the window between detection and weaponisation narrows dramatically. Security teams must adopt an assume‑breach mindset, continuously validate that their identity‑centric controls are tuned for token theft scenarios, and invest in tooling that can inspect not just authentication events but the post‑authorization activity—such as anomalous Graph API calls or unusual data transfers from SharePoint and OneDrive.

Practical steps for immediate hardening

For organizations that need to act now before a Kali365 campaign reaches their user base, the following steps provide the most immediate risk reduction:

  1. Check if the device code flow is in use: Run a Kusto query against Azure AD sign‑in logs: SigninLogs | where AuthenticationProtocol == "deviceCode". If zero results appear over 30 days, block the flow.
  2. Block the device code grant: In the Azure portal, navigate to Entra ID > Security > Authentication methods > Policies > Settings, or use the newer authentication flows policy to disable the device code grant type.
  3. Enforce FIDO2 or CBA for all admins: Phishing‑resistant MFA is immune to token replay because it binds the credential to the session. Expand this to all users over time.
  4. Deploy an app consent‑based alert: Create a playbook that sends a high‑priority notification whenever a new application with Mail.Read or Files.ReadWrite.All scopes is consented to by a user.
  5. Conduct a device code phishing simulation: Use open‑source tools or commercial platforms to send a benign device code phishing test and measure how many employees would enter the code.

Final word

The FBI’s warning about Kali365 should serve as a call to action for every Microsoft 365 administrator. Device code phishing bypasses the MFA investments that have long been the cornerstone of identity security, yet the controls to stop it—disabling an unnecessary legacy flow, adopting phishing‑resistant MFA, and monitoring token issuance patterns—are readily available in the Entra ID stack. In the ongoing cat‑and‑mouse game between attackers and defenders, the organizations that treat token theft as a first‑class threat and adjust their security posture accordingly will be the ones that stay ahead of the next Kali365 iteration.