Overview
- The FBI issued a public advisory on Thursday, May 21, saying Kali365 is active in the wild and primarily distributed via Telegram, and that it lets attackers obtain Microsoft 365 access tokens to bypass multifactor authentication.
- In a device-code phishing attack, victims receive an email with a short code and are tricked into pasting that code on Microsoft’s legit verification page, which links the victim’s account to an attacker-controlled device and yields access and refresh tokens for the attacker to use.
- Kali365 operates as a phishing-as-a-service platform first seen in April 2026 and bundles AI-generated phishing lures, automated campaign templates, victim-tracking dashboards, and token-capture features that let low-skill actors run targeted campaigns.
- The FBI told organizations to restrict or block device-code authentication flows, create conditional access rules, block authentication transfer policies, and preserve emergency access accounts to avoid lockouts during remediation.
- Security vendors report a rapid spike in device-code phishing tied to PhaaS offerings and public criminal toolkits, increasing the risk of long-lived mailbox and cloud compromises and prompting calls to monitor token use and report incidents to authorities.