FBI Warns of Kali365 Phishing Attack on Microsoft 365

Emily Davis · 2026-05-25

The FBI is sounding the alarm about a dangerous new phishing platform called Kali365. This isn't your typical fake login page. It's a sophisticated phishing-as-a-service (PhaaS) tool that specifically targets Microsoft 365 accounts, and it's clever enough to bypass multi-factor authentication (MFA). So, what makes Kali365 so scary? It abuses OAuth device code authentication. That's a mouthful, I know. But here's the simple version: Instead of tricking you into typing your password on a fake site, it steals session tokens. Think of a session token like a digital key that proves you're already logged in. Once hackers get that key, they don't need your password or your MFA code. They're in. ### How Kali365 Works The attack starts with a phishing email that looks legitimate. It might warn you about a suspicious login attempt on your Microsoft 365 account and urge you to verify your identity. The email includes a link to a fake Microsoft login page. But here's the twist. When you click that link, you're not just entering your credentials on a fake page. The page initiates a real OAuth device code flow. This is a legitimate process Microsoft uses to let you log in on devices that can't handle full web browsers, like a smart TV or a game console. The hacker's platform intercepts this flow, captures the session token, and uses it to log into your account directly. Once they're in, they can: - Read all your emails - Access your files in OneDrive and SharePoint - Send emails as you to your contacts - Install malicious apps or set up email forwarding rules ### Why MFA Isn't Enough Here You've probably been told that turning on MFA is the best way to protect your accounts. And it is, for most attacks. But Kali365 is designed to bypass it. Because it steals the session token after you've already authenticated, your MFA code is useless. The hacker never needs it. They just need the token. This is a wake-up call. MFA is still essential, but it's not a magic bullet. You need to layer your defenses. ### How to Protect Yourself Here's what you can do right now to stay safe: - **Be suspicious of unexpected login prompts.** If you get an email asking you to verify your account or log in, don't click the link. Go directly to the official Microsoft 365 portal by typing the URL in your browser. - **Check the sender's email address.** Phishing emails often come from addresses that look similar to legitimate ones but have small typos or extra characters. - **Use conditional access policies.** If you're an admin, set up policies that block device code authentication from untrusted locations or devices. This can stop the attack before it starts. - **Monitor for unusual activity.** Watch for new email forwarding rules, unexpected app permissions, or logins from strange IP addresses. Microsoft 365 has built-in tools for this. - **Educate your team.** Talk to your colleagues about this threat. The more people know, the less likely they are to fall for it. ### A Real-World Perspective "This isn't just another phishing campaign," says Emily Davis, Head of Digital Privacy and Antidetect Browser Solutions at Antidetectbrowsershub. "Kali365 represents a shift in how attackers operate. They're not just after your password anymore. They're after your session, your digital identity. And once they have it, they can move freely through your account without triggering any alarms." ### The Bottom Line The Kali365 phishing platform is a serious threat, especially for businesses and professionals who rely on Microsoft 365. It's sophisticated, it's effective, and it's being actively used right now. But you don't have to be a victim. Stay vigilant, question unexpected login requests, and layer your security. A little skepticism can go a long way. Remember, the best defense is a healthy dose of paranoia when it comes to your digital life. If something feels off, it probably is. Trust that instinct.