News
FBI Urges Microsoft 365 Defenders To Watch for Kali365 Phishing Attacks
The FBI is warning orgs about Kali365, a phishing-as-a-service kit that can help attackers get around multifactor authentication protections in Microsoft 365 environments by stealing access tokens instead of passwords.
In an alert issued by the FBI's Internet Crime Complaint Center, the federal law enforcement department said that Kali365 surfaced in April and has been distributed mainly through Telegram. The kit appears designed for attackers who want to steal access tokens rather than rely only on passwords, a shift that could make some traditional phishing defenses less effective.
The attack centers on Microsoft's device code authentication flow. A potential scam target may receive an email posing as a cloud productivity or document-sharing notice. Instead of sending the victim to a fake Microsoft login page, the message points to a legitimate Microsoft device sign-in page and provides a code to enter.
That makes the attack harder to spot. The page is real, but the code is not safe. If the user enters it, they may unknowingly give an attacker's device access to their Microsoft 365 account.
The attacker can then steal access tokens tied to that account. Those tokens may let the attacker open Outlook, Teams, OneDrive and other Microsoft 365 services without the user's password or another MFA check.
Malwarebytes said the FBI's public notice should get the attention of defenders.
"When the Federal Bureau of Investigation (FBI) publishes a dedicated public service announcement about a new phishing kit, it's worth paying attention to," Malwarebytes said in a blog post this week.
For IT, the warning points to a larger issue: attackers are not only using fake login pages. They're also trying to abuse real sign-in tools that users already trust. In this case, the attack sends users to a real Microsoft page, which can make the request seem safe.
"Unlike many phishing emails, this one sends you to a real Microsoft URL used for device sign-in flows," Malwarebytes said. "To the user, the page looks familiar and completely legitimate, which lowers suspicion."
The FBI said Kali365 includes AI-generated phishing lures, automated campaign templates, real-time victim tracking dashboards and OAuth token capture capabilities. Those features suggest the kit is intended to make token-focused phishing easier to run at scale, including for less experienced operators.
The risk for organizations is that MFA may not stop an attack once a user has approved the wrong device code flow. Stolen refresh tokens can potentially support continued access until they expire, are revoked or are detected through suspicious activity.
That puts more pressure on identity monitoring. Security teams should be looking for unfamiliar devices, unusual sign-in locations, unexpected session activity and abnormal access to Outlook, Teams, OneDrive and SharePoint.
The FBI recommended that organizations restrict device code flow where possible. In Microsoft Entra ID environments, that can mean using conditional access policies to block device code authentication broadly, with limited exceptions for required business processes.
The agency also advised organizations to audit current use of device code flow before enforcement. That step can help identify legitimate dependencies and avoid disrupting users or applications that still rely on the feature.
If device code flow cannot be fully disabled, the FBI said organizations should exclude emergency access accounts to prevent lockouts. It also recommended blocking authentication transfer policies that allow users to transfer authentication from computers to mobile devices.
The FBI urged victims to report incidents to IC3 and include phishing emails, message headers, suspicious login times, IP addresses, locations, unauthorized devices and active sessions added to the account.