Back to news
Cybersecurity Alert
June 22, 2026 by EmailMeNow IT Consulting

FBI Warns Kali365 Phishing Kit Steals Microsoft 365 OAuth Tokens, Bypassing MFA

The FBI IC3 alerts organizations to Kali365, a PhaaS platform that abuses device-code OAuth flows to hijack Microsoft 365 sessions without passwords. Audits score microsoft.com at 73% and office.com at 59%.

Source: FBI Internet Crime Complaint Center (IC3)

FBIMicrosoft 365PhishingOAuthMFA BypassCybersecurity
FBI warning about Kali365 Microsoft 365 OAuth phishing

The FBI issued an urgent public service announcement about Kali365, a phishing-as-a-service (PhaaS) platform that lets attackers steal Microsoft 365 OAuth tokens and gain persistent access without passwords or additional MFA challenges — even when victims have multi-factor authentication enabled.

Read the FBI IC3 PSA:
https://www.ic3.gov/PSA/2026/PSA260521

What Is Kali365

First observed in April 2026, Kali365 is distributed primarily via Telegram. Subscribers get AI-generated lures, automated campaign templates, victim-tracking dashboards, and device-code OAuth capture — lowering the skill bar for compromising Microsoft 365 tenants.

The FBI warns the kit enables access to Outlook, Teams, OneDrive, and other SSO-connected SaaS apps, fueling data theft, BEC wire fraud, and ransomware follow-on activity.

How the Attack Works

  1. Lure — Victim receives email impersonating a trusted cloud or document-sharing service with a device code and instructions to visit Microsoft’s real verification page.
  2. Authorization — Victim pastes the code on login.microsoftonline.com, unknowingly authorizing the attacker’s application.
  3. Token theft — Attacker captures OAuth access and refresh tokens.
  4. Persistence — Attacker uses the tokens repeatedly without re-entering MFA.

This is device-code phishing — it abuses Microsoft’s legitimate OAuth 2.0 device authorization flow rather than stealing passwords.

Illustrated attack chain

Step 1: Phishing lure with a device code

Illustration: employee receiving phishing email with Microsoft device code

The victim receives email impersonating a trusted cloud or document service with a device code and instructions to visit Microsoft’s real verification page.

Step 2: Victim authorizes on the real Microsoft login page

Illustration: employee entering device code on Microsoft login page

The victim pastes the code on login.microsoftonline.com, unknowingly authorizing the attacker’s application — a legitimate Microsoft page, not a fake clone.

Step 3: Attacker captures OAuth tokens

Illustration: attacker dashboard showing stolen OAuth tokens and active sessions

The attacker captures OAuth access and refresh tokens and reuses them without re-entering MFA — persistent access to Outlook, Teams, OneDrive, and SSO-connected SaaS apps.

FBI and Defender Recommendations

  • Create Conditional Access policies to block or restrict device code flow for all users except documented exceptions.
  • Block authentication transfer policies that let sessions move between devices.
  • Audit sign-in logs for device-code grants and unfamiliar application consents.
  • Revoke sessions (revokeSignInSessions) for compromised accounts immediately.
  • Watch for mailbox rules, new device registrations, and OAuth app consents after incidents.
  • Report victims to IC3.gov.

Kali365 joins EvilTokens, Tycoon2FA, and other 2026 PhaaS platforms using the same technique.

Why Texas Law Firms and RIAs Are Targets

Legal and financial firms are heavy Microsoft 365 users with high-value mailboxes and wire-transfer workflows. A single compromised partner or paralegal account can expose client privilege, trust accounting, and SEC/FTC-regulated customer data.

This threat pairs with the April 2026 wave of vishing and SaaS attacks we summarized in our April cyber incidents roundup — identity-layer attacks that bypass traditional perimeter controls.

Independent Cybersecurity Audit

We audited Microsoft’s primary domains on June 22, 2026:

Organization (Domain)OverallRisk Level
Microsoft (microsoft.com)73%Good
Microsoft 365 / Office (office.com)59%High Risk

Strong microsoft.com scores do not stop Kali365 — victims authorize real Microsoft pages. The office.com gap in the High Risk band is a reminder that impersonation of Microsoft login flows remains effective when staff are not trained on device-code scams.

Audit links:


Harden Microsoft 365 before attackers do.

Run a free Instant Cybersecurity Audit at audit.emailmenow.com — and contact EmailMeNow IT Consulting for Entra Conditional Access review and BEC tabletop exercises.


Sources: FBI IC3 — Kali365 PSA · EmailMeNow audits — microsoft.com · office.com