The FBI has issued an urgent public warning about Kali365, a phishing-as-a-service platform that weaponizes device code authentication to steal Microsoft 365 access tokens. The alert, released in May 2026, confirms that threat actors have been actively abusing the platform since April 2026 to compromise accounts and gain persistent access to corporate emails, Teams chats, and cloud storage through hijacked OAuth tokens.

Device code authentication is a legitimate login method designed for devices that cannot run a full browser, such as smart TVs, game consoles, or CLI tools. A user enters a short alphanumeric code displayed by the application into a separate web browser, which then completes the authentication. Attackers manipulate this flow to trick victims into granting access to their accounts without ever needing a password.

Kali365 automates the entire process, lowering the barrier for cybercriminals who lack deep technical skills. It operates as a turnkey solution: for a subscription fee, a criminal receives a phishing kit that generates convincing lures, captures device codes, and harvests the resulting tokens. The platform even includes a dashboard where operators can manage captured sessions and monitor the real-time status of compromised accounts.

How Device Code Phishing Works

The attack exploits a fundamental trust in the OAuth 2.0 device authorization grant. When a user attempts to authenticate on a constrained device, Microsoft Entra ID issues a device code and a verification URL. The user is instructed to visit microsoft.com/devicelogin and enter the code. Behind the scenes, the client application polls the authorization server until the user completes the flow.

An attacker initiates the same process, obtains a valid device code, and then sends that code to a target—typically via email, SMS, or a malicious web page. The phishing message poses as a Microsoft security alert or an IT team request, urging the recipient to “verify their identity” by entering the code. If the victim complies, the attacker’s polling client instantly receives a set of tokens: an access token, a refresh token, and an ID token. These tokens grant the attacker the same permissions the victim holds in Microsoft 365, including read/write access to Outlook messages, Teams conversations, OneDrive files, and SharePoint sites.

What makes device code phishing especially dangerous is that it bypasses most multi‑factor authentication (MFA) measures. Since the victim is logging into what appears to be a legitimate Microsoft page—actually the genuine device login portal—MFA prompts are triggered as normal. The user might approve a push notification or enter a one-time code, believing they are securing their own session. In reality, they are completing the attacker’s login.

Inside the Kali365 Platform

Kali365 was first observed in April 2026 on a dark web forum known for peddling cybercrime tools. Researchers from multiple threat intelligence firms quickly identified it as a polished, commercial‑grade service. According to the FBI’s alert, numbered I-050226-PSA, the platform offers tiered subscription plans starting at around $300 per month. Premium tiers include features such as automated spear‑phishing templates, 24/7 support, and even a “token guarantee” that replaces tokens if a victim revokes access.

The platform’s backend is written in Python and leverages Microsoft’s own authentication libraries to interact with Entra ID. It generates device codes in bulk and continuously polls the token endpoint. Once a token is captured, it is stored in an encrypted database and presented to the subscriber in a user-friendly GUI. The GUI also displays metadata about the token, including the user’s display name, email address, role, and the scopes granted. Subscribers can then export the token for use in tools like TokenTactics or AADInternals, or directly interact with the Microsoft Graph API through Kali365’s built-in interface.

Kali365 does not stop at token harvesting. It also provides post‑exploitation modules that allow attackers to search mailboxes for sensitive keywords, exfiltrate attachments, and set up inbox rules to forward future messages. One particularly alarming module automates the registration of malicious applications in the victim’s Entra ID tenant, enabling persistent access even if the user changes their password. This application‑based persistence is a growing trend in business email compromise (BEC) campaigns.

The Attack in Action

To understand the real‑world impact, consider a typical attack sequence. A Kali365 subscriber crafts an email impersonating the recipient’s IT department. The email states that a required security update must be completed, and provides a device code along with a link to microsoft.com/devicelogin. The message even includes the recipient’s first name and company logo, scraped from LinkedIn, to bolster credibility.

When the victim clicks the link and enters the code, they see a standard Microsoft sign‑in page. Everything looks correct: the URL bar shows login.microsoftonline.com, and the page asks for a password followed by an MFA prompt. The victim satisfies the prompts, and the page displays “You are now signed in. Please return to your device.” For the victim, nothing seems amiss.

Behind the scenes, the attacker’s script has just received a token that grants access to the victim’s Microsoft 365 account. The attacker then immediately enriches the token’s permissions by requesting additional scopes via incremental consent, often using a forged OAuth consent screen that the victim might have already approved in the past. Within minutes, the attacker can read emails, download files from OneDrive, and send messages on behalf of the victim—all without raising a single alert.

What the FBI Recommends

The FBI’s public warning outlines several immediate steps organizations should take to defend against device code phishing:

  • Disable device code authentication for unmanaged devices unless absolutely necessary. Administrators can restrict the device code flow to trusted devices via conditional access policies in Microsoft Entra.
  • Monitor for suspicious device code usage. The Entra ID sign‑in logs include the field authenticationProtocol with a value of deviceCode. Regularly reviewing these logs for unexpected device code sign‑ins can help detect attacks early.
  • Educate users about the device login process. Employees should be trained to treat unsolicited device codes with extreme skepticism—no legitimate IT department will send a device code out of the blue.
  • Implement risk‑based conditional access. Policies that require additional authentication factors or block sign‑ins from unfamiliar locations or devices can thwart token‑based attacks.
  • Review and limit OAuth permissions. Many organizations have numerous third‑party applications with excessive privileges. Auditing and restricting these permissions minimizes the damage a token can cause.

Additionally, the FBI urges victims to report incidents to the Internet Crime Complaint Center (IC3) immediately. Details provided by victims can help law enforcement track the infrastructure behind Kali365 and other similar platforms.

Microsoft's Countermeasures

Microsoft is aware of the threat and has been adding proactive defenses. In early 2026, the company introduced a preview feature that allows administrators to block device code authentication entirely for certain users or groups. Conditional access now includes a specific condition for “authentication flow,” so policies can target device code sign‑ins with granularity.

Microsoft also enhanced its sign‑in risk detection algorithms to flag anomalous device code usage. For example, if a device code is issued in one geographic region and redeemed from a completely different location within seconds, the sign‑in is marked as high risk and may be subject to automated remediation, such as token revocation.

Despite these measures, the fundamental design of the device authorization grant makes it difficult to eliminate the threat altogether. As long as device code authentication remains enabled, attackers will find ways to trick users. The FBI alert stresses that the most effective defense is user awareness combined with strict conditional access policies.

Protecting Your Organization

Beyond the FBI’s recommendations, security teams should consider these additional steps:

  1. Disable device code flow for all non‑privileged users. Audit your Entra ID tenant settings and, if device code usage is not required, create a conditional access policy that blocks it. Many organizations have no legitimate need for device code authentication and can simply turn it off.

  2. Deploy an advanced anti‑phishing solution. Traditional secure email gateways often miss device code phishing lures because they lack malicious links or attachments. Look for solutions that use natural language processing to detect social engineering patterns.

  3. Harden mobile device management (MDM) policies. Since attackers may use tokens to access Microsoft Teams or Outlook from unmanaged devices, enforcing device compliance checks before granting access can stop the token from being used.

  4. Regularly review OAuth consent grants. Use the Microsoft Graph API or third‑party tools to audit which applications have been granted consent. Revoke any suspicious or unused grants immediately.

  5. Conduct simulated device code phishing exercises. Test your users’ susceptibility by sending benign device codes and tracking who enters them. Use the results to tailor training.

A Growing Threat

Kali365 is not an isolated phenomenon. The success of device code phishing has spawned several copycat platforms, and underground forums buzz with discussions about improving token‑based attacks. Security researchers warn that as Microsoft strengthens other authentication flows, adversaries will increasingly target this lesser‑known vector.

The FBI alert serves as a stark reminder that even when users enable MFA and follow best practices, creative social engineering can still breach accounts. Organizations must adopt a defense‑in‑depth strategy that assumes users will occasionally be fooled, and layers technical controls to minimize the damage.

For Windows and Microsoft 365 administrators, the time to act is now. Review your authentication policies, harden your conditional access rules, and make sure every employee knows: that unexpected device code is a threat, not a routine check. The Kali365 platform may have been uncovered, but the technique it weaponizes is likely here to stay.