FBI warns of Kali365 phishing kit that breaks into Microsoft 365 accounts – no password required

INDUSTRY NEWS 3 min read FBI warns of Kali365 phishing kit that breaks into Microsoft 365 accounts — no password required Graham CLULEY May 26, 2026 Promo Protect all your devices, without slowing them down. Free 30-day trial So, you've enabled multi-factor authentication. You've taught your staff never to type their passwords into dodgy-looking login pages. Surely your Microsoft 365 accounts are safe now? Well, think again. The FBI has issued an advisory warning about a phishing-as-a-service platform that has recently emerged, which can hijack Microsoft 365 accounts without ever stealing a password. And it has no difficulty waltzing past MFA while it's at it. Kali365 is a subscription service for scammers that was first spotted in April 2026, and has been promoted largely through Telegram. It is a turnkey toolkit that allows even non-technical fraudsters to run sophisticated phishing campaigns, reportedly for as little as US $250 per month or $2,000 a year. Subscribers to Kali365 have access to AI-generated phishing lures, automated campaign templates, real-time dashboards for tracking targets, and the ability to capture OAuth tokens. In other words, it's everything even a complete newbie would need to launch a phishing attack. And the threat is not hypothetical. Security researchers documented hundreds of Kali365 attacks in April alone, hitting organisations cross North America and Europe. The common factor in the attacks? The victim had deployed MFA. What makes Kali365 so successful I suspect is that it does not need to fool victims with a fake login page. Instead, it abuses a legitimate Microsoft feature. If you have ever signed into a streaming service like Amazon Prime or Netflix on a smart TV you have probably been promoted to type a short code into a website on your phone. If you've done that, you've used "device code flow." That's the technology which allows a gadget to borrow an authenticated session from another device. The Kali365 attack works the same way. You receive a phishing email which is disguised as a message from a trusted cloud service, asking you to visit a Microsoft verification page and enter a code. You go to the genuine Microsoft page and type in the code. You may think you have acted entirely safely. After all, it was a genuine Microsoft domain, your password manager recognised it correctly, the site's SSL certificate is valid, and there are no typos in the URL. However, what you have actually done is authorise an attacker's device to access your account. Microsoft hands the criminal an OAuth token - proof you are logged in - granting them unfettered access to your Microsoft Outlook, Teams, and OneDrive with no password and no further prompts to enter an MFA code. In short, there is no fake website to spot, and no misspelt domain name. The single stolen token can unlock other cloud apps, potentially turning one careless click into a wide-ranging security incident. The thing to remember here is that MFA stops attackers from logging in as you. It does nothing to prevent you from granting access to an attacker through a workflow that Microsoft considers entirely legitimate. The criminals are never asked to answer an MFA challenge, because as far as Microsoft is concerned the victim already has. And this is why the FBI's top recommendation is to block device code flow, with a conditional access policy in Microsoft Entra ID where appropriate. You will probably want to exclude emergency access accounts so you don't accidentally lock yourself out entirely. And it is always a good idea to roll-out phishing-resistant MFA, such as hardware security keys, which tie authentication to a physical device and are much harder to circumnavigate. The FBI's Internet Crime Complaint Center is encouraging victims to report incidents to it via its website at ic3.gov. TAGS industry news AUTHOR Graham CLULEY Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s. View all posts RIGHT NOW TOP POSTS SCAM HOW TO Scammer phone number lookup. How to check if a phone number is a scam April 19, 2024 SCAM DIGITAL PRIVACY HOW TO How scammers gain access and hack your WhatsApp account and what you can do to protect yourself May 01, 2024 INDUSTRY NEWS MOBILE SECURITY Apple Sends Urgent Security Alert to iPhone Lock Screens — Here’s Why You Shouldn’t Ignore It March 30, 2026 INDUSTRY NEWS How any Instagram account could be hacked in less than 10 minutes July 15, 2019 FOLLOW US ON SOCIAL MEDIA YOU MIGHT ALSO LIKE INDUSTRY NEWS SCAM Telecom Executives Plead Guilty to Tech Support Fraud Filip TRUȚĂ May 26, 2026 4 min read INDUSTRY NEWS FBI warns of Kali365 phishing kit that breaks into Microsoft 365 accounts — no password required Graham CLULEY May 26, 2026 3 min read INDUSTRY NEWS DATA BREACH 7-Eleven data breach exposes data of 185,000 people Vlad CONSTANTINESCU May 26, 2026 1 min read BOOKMARKS You have no bookmarks yet. Tap to read it later.