The FBI has issued an urgent public warning about a phishing-as-a-service platform called Kali365 that is systematically targeting Microsoft 365 accounts by abusing device-code authentication. The May 21, 2026, alert details how this service captures OAuth tokens to bypass multi-factor authentication, granting attackers persistent access to corporate data.

Kali365 represents a dangerous shift in credential theft. Instead of stealing passwords, it steals authenticated sessions — tokens that are fully verified by Microsoft’s identity platform. Once an attacker holds a valid token, they can interact with Exchange Online, SharePoint, Teams, and other services as if they were the legitimate user, often without triggering additional authentication prompts.

Understanding Device-Code Authentication

Device-code authentication is a legitimate OAuth 2.0 flow designed for input-constrained devices like smart TVs, IoT gadgets, or command-line tools. It allows a user to sign in on a secondary device by visiting a URL and entering a short code displayed on the primary device.

The flow works like this:

  1. The device or application requests a device code from Microsoft’s authorization server.
  2. The server returns a user code and a verification URL.
  3. The application shows the user the code and instructs them to visit the URL on another device.
  4. The user enters the code at that URL and completes authentication (including MFA if required).
  5. Meanwhile, the original device polls the server. Once authentication succeeds, it receives an access token and a refresh token.

This method is widely used by legitimate Microsoft services and third-party apps, including Microsoft’s own CLI, Azure PowerShell, and even some phishing toolkits themselves.

How Kali365 Exploits the Flow

Kali365 weaponizes this process through a subscription-based phishing kit. Attackers purchase access to the platform, which generates unique device-code URLs and codes. The attacker then sends a phishing email — often disguised as a Microsoft Teams message, SharePoint file share, or urgent IT notice — that directs employees to visit the legitimate Microsoft verification page and enter a code.

Unlike traditional credential phishing, the user never enters a password on a fake site. They visit the real microsoft.com/devicelogin page, enter the attacker’s code, and authenticate securely. The victim sees the standard Microsoft sign-in experience, completes MFA, and believes they’ve done nothing wrong. Meanwhile, the attacker’s script, which has been polling the authorization server, receives an access token tied to the victim’s identity.

This token allows the attacker to:

  • Read and exfiltrate emails
  • Access SharePoint and OneDrive files
  • Modify Teams settings or send internal messages
  • Persist in the environment using refresh tokens that can last weeks or months
  • Move laterally if the victim has privileged access

Why MFA Doesn’t Stop It

Multi-factor authentication is a critical defense, but device-code phishing sidesteps it cleanly. The attacker never intercepts credentials; they discard the need for them entirely. When the victim completes MFA as part of the device-code flow, they are satisfying the authentication requirement for the attacker’s session, not their own.

The token issued by Microsoft’s identity platform contains claims that attest to the fact that MFA was performed. So not only does the attacker gain access, they gain access that appears to be strongly authenticated, often bypassing Conditional Access policies that require MFA. The token is indistinguishable from one a legitimate user would obtain.

Kali365: Phishing as a Service

The FBI’s alert highlights Kali365’s commoditization of this technique. The platform provides a dashboard where attackers can:

  • Generate new device-code links on demand
  • Monitor active sessions in real time
  • Harvest tokens automatically via polling scripts
  • Integrate with phishing delivery mechanisms

Pricing models vary, but the service lowers the barrier to entry so significantly that even low-skilled threat actors can launch successful campaigns. The FBI notes that activity has been observed across multiple sectors, including government contractors, financial services, and healthcare.

Real-World Impact and FBI Details

According to the May 21 warning, the FBI has tracked Kali365 campaigns since late 2025. One incident involved a compromised global administrator account where attackers used the obtained token to register a rogue Entra ID application, blending into normal operations. In another case, attackers maintained access for over 30 days before being detected because the refresh token kept renewing the session.

The FBI emphasizes that traditional indicators of compromise — such as impossible travel or unusual sign-in locations — may not appear if the attacker’s token is presented from a VPN or network that matches the victim’s typical IP range. Many organizations lack adequate logging of device-code grant flows, compounding the blind spot.

Mitigation Strategies from Microsoft and the Community

Microsoft’s own documentation on device-code flow has long warned about its phishing potential. In response to rising abuse, the company recently introduced several controls:

1. Conditional Access policies for device-code flow
Administrators can now create policies that block or restrict the use of device-code authentication. A policy targeting “All users” and “All cloud apps” with the condition “Device code flow” can be set to “Block” – effectively disabling this vector for an entire tenant. Alternatively, policies can allow it only from trusted device platforms or compliant devices.

2. Token protection in Conditional Access
A newer feature requires that access tokens be bound to the requesting device. This makes stolen tokens useless outside that device unless the attacker also gains control of the device itself. Enabling token protection for Exchange Online and SharePoint has been recommended by Microsoft as a high-priority measure.

3. Restricting consent and application permissions
Because attackers often use stolen tokens to register malicious apps or grant admin consent, Microsoft also urges organizations to enable the “Do not allow user consent” setting in Entra ID. Combined with an admin consent workflow, this blocks an attacker even after they obtain a token.

4. Enhanced monitoring and Sentinel alerts
Microsoft Sentinel and other SIEMs offer built-in analytics rules for device-code phishing. For example, the rule “Anomalous Device Code Flow” fires when a user initiates a device-code authentication from an unfamiliar device or location. Enabling Microsoft’s recommended hunting queries can surface silent token theft.

What Defenders Should Do Now

Given the FBI alert, security teams should take immediate steps:

  • Audit device-code flow usage: Use Entra ID sign-in logs and filter by “Device code flow” to see if any users are actively using it. Most organizations have no legitimate reason to allow it broadly.
  • Deploy a blanket block policy: Create a Conditional Access rule that blocks device-code flow for all users, then create an exception group for any tool that requires it (e.g., Azure PowerShell with device login).
  • Enable token protection: Even if MFA is already required, token protection adds a crucial layer against token replay. It is supported in recent versions of Windows, mobile apps, and Microsoft Edge.
  • Educate users: Teach employees that they should never enter a code from an unsolicited request. The Microsoft device login page is legitimate, so training must clarify that codes should only be used when expected.
  • Hunt for compromise: Search for unusual app registrations, newly consented permissions, and unexpected refresh token usage in Entra ID audit logs.

A Shifting Threat Landscape

Kali365 is not the first tool to exploit device-code authentication, but its availability as a service marks a turning point. Microsoft continues to invest in identity security, yet gaps remain when organizations rely solely on MFA. The FBI warning serves as a wake-up call: authentication token theft is now a mainstay of modern phishing.

For Windows enthusiasts and IT admins, the message is clear. Defensive configurations that were once considered advanced — Conditional Access, token protection, and strict device posture — are now baseline necessities. As long as the device-code flow exists, attackers will abuse it. The good news is that with the right policies, that abuse can be stopped before it ever reaches your users.