The FBI has issued an alert about Kali365, a phishing-as-a-service that targets Microsoft 365 accounts by abusing the device code flow to capture OAuth tokens. Kali365 is named in the FBI advisory and first observed in April 2026; it spreads via Telegram and other channels, offering buyers prebuilt phishing templates and token-harvesting tools. (See the FBI advisory and reporting links below.)
Below: quick protections you can apply now, a technical explainer of how device code flow abuse works, who is at risk, and a practical checklist for admins and users based on FBI and Microsoft guidance.
Quick protections you can do right now
- Do not enter a Microsoft device code unless you personally initiated the sign-in process on the device that requested it.
- If you receive an unexpected code via email, Teams or text, do not follow links in that message; instead open your Microsoft 365 portal directly in a browser you trust.
- Check recent sign-ins and connected apps in your account; revoke sessions and app permissions that look unfamiliar.
What is Kali365?
The FBI describes Kali365 as a phishing-as-a-service platform first seen in April 2026 that automates campaign delivery, message generation and token harvesting to scale attacks against Microsoft 365 users. The platform is reported to be distributed primarily through Telegram channels and lowers the skill barrier for attackers by packaging templates and tracking tools (FBI advisory; reporting linked below).
How the scam works: device code flow abuse
The scam abuses the legitimate OAuth device code flow used by some apps and devices. Normally, an app displays a short code and directs a user to a Microsoft verification page on another device; after the user enters the code, the app receives OAuth tokens that let it act on the user’s behalf. Microsoft documents the device code flow and how tokens are issued on its developer site (see Microsoft device-code flow docs below).
In Kali365-style attacks, criminals initiate the device code flow from their own device and then socially engineer a victim into visiting Microsoft’s real verification page and entering the attacker-generated code. Because the verification page is genuine, the browser shows a valid Microsoft URL and may not trigger typical phishing warnings.
When a victim enters the code, the attacker’s session receives OAuth access and refresh tokens. According to the FBI and Microsoft, those tokens can allow access to services without the attacker having the victim’s password — meaning access is possible even when the password itself was not exposed (FBI advisory; Microsoft guidance linked below).
Who and what is at risk
Per the FBI advisory, Microsoft 365 services affected include Outlook (email), Teams (chat/meetings) and OneDrive (files). An attacker with OAuth tokens can read and send email, access shared files, and interact in Teams as the compromised user. This can enable business email compromise, fraud and lateral movement inside an organization if tokens are not revoked quickly.
Small and mid-sized organizations are often mentioned as high-risk because a single compromised account can enable convincing fraud or invoice scams that rely on internal context and sender legitimacy.
Practical steps to protect accounts (admin + user checklist)
- Audit device code flow usage: Inventory which applications and workflows use device code flow before you restrict it to avoid disrupting legitimate apps.
- Restrict device code flow with conditional access: Use conditional access policies to block or limit device code flow for most users, permitting exceptions only where business needs exist. See Microsoft conditional access guidance below.
- Block authentication transfer: Evaluate and disable policies that permit transferring authentication between devices where not needed.
- Protect emergency access accounts: Keep carefully managed break-glass or emergency admin accounts available so lockdowns don’t create outages.
- Revoke compromised tokens: On suspected compromise, revoke app permissions, sign out sessions, and rotate credentials and refresh tokens immediately.
- Keep MFA active: Do not remove multifactor authentication — this scam exploits approval flows and stolen tokens rather than negating the value of MFA.
- Train users: Warn staff to treat unexpected device codes as suspicious and to verify sign-in attempts directly through their account security pages rather than via message links.
Microsoft response and additional guidance
Microsoft has published developer documentation on the device code flow and recommends using conditional access and least-privilege app consent to reduce exposure. Microsoft has also said publicly that it supports law-enforcement disruption efforts and recommends following published best practices to limit token misuse (see Microsoft links below).
What to do if you think you were targeted
If you entered a device code unexpectedly, assume tokens may be compromised. Immediately sign out of all sessions, revoke active app permissions, rotate passwords and refresh tokens, and notify your IT or security team. Preserve phishing emails, message headers and any suspicious login indicators and report the incident to law enforcement as described below.
What comes next
Organizations should balance urgency with care: audit usage first, then apply conditional access and monitoring to block abusive flows without disrupting critical services. Expect continued evolution of phishing-as-a-service offerings; keep detection rules and incident playbooks current and test emergency-access controls to avoid accidental lockouts during remediation.
Source attribution and reporting links
This explainer is based on the FBI’s advisory referenced in recent reporting and on Microsoft’s published guidance. To review original reporting and to report incidents, consult the links below:
- Fox News — FBI warns Microsoft users about passwordless scam (reporting that cites the FBI advisory)
- FBI — Cyber Division / advisory listings (see the FBI advisory referenced in reporting)
- Internet Crime Complaint Center (IC3.gov) — file complaints and preserve evidence per FBI guidance
- Microsoft developer docs — OAuth 2.0 device code flow
- Microsoft guidance — Conditional Access overview and best practices
- Additional reporting and context: CyberGuy coverage quoted Microsoft in discussions about protective measures.
Frequently asked questions
What is Kali365 and how does it target Microsoft 365?
Kali365 is described by the FBI as phishing-as-a-service that packages phishing templates and automation to trick Microsoft 365 users into entering device codes on the legitimate Microsoft verification page. When users enter those codes, attackers can capture OAuth tokens that grant access.
How does the device code flow let attackers bypass passwords?
The device code flow issues OAuth tokens after a user approves a code on a verification page. If an attacker initiates the code and convinces a victim to approve it, the attacker’s device receives tokens and can access services without the victim’s password — a behavior described by the FBI and Microsoft.
What immediate steps should admins take to reduce risk?
Admins should audit device code usage, implement conditional access to restrict the flow, block authentication transfer policies where appropriate, preserve emergency access accounts to avoid lockouts, and ensure revocation and remediation procedures are in place for suspected compromises.
