A new phishing kit can break into Microsoft 365 accounts without stealing a single password. The FBI warned on May 21 that a tool called Kali365 captures account access by abusing Microsoft’s own device authentication system, bypassing multi-factor authentication in the process.
The kit has already hit organizations across multiple sectors. Multiple cybersecurity firms reported hundreds of attacks tied to the platform since it first appeared in April 2026.
Here’s how it works, who’s at risk, and what stops it.
How Kali365 Breaks Into Accounts
The attack starts with an email, not malware. An attacker sends a phishing message impersonating a trusted cloud or document-sharing service. The email contains a device code and instructions to enter it on a real Microsoft verification page.
That’s the trick: the page is genuine. The target navigates to Microsoft’s actual login page and enters the code, unknowingly authorizing the attacker’s device to access their account.
Once that happens, the attacker captures the victim’s OAuth access and refresh tokens, granting entry to Outlook, Teams, and OneDrive. No password. No MFA prompt.
Through this it is possible to misuse a real Microsoft feature namely the OAuth device code flow, a method originally created for signing into devices that do not have keyboards like smart TVs or printers. Kali365 totally circumvents MFA as it makes use of the flow, not the credentials that are stolen. The user only goes through an authentic Microsoft authentication step, as far as Microsoft is concerned, the login is legitimate.
Why MFA Doesn’t Catch This
Standard MFA checks a password plus a second factor, like a code or push notification. Kali365 skips both. Because the victim completes an authentic Microsoft login, standard MFA controls built for password attacks offer no protection here.
The stolen tokens don’t expire after one session either. They persist beyond the initial login, and attackers can reuse them, share them, or use them for further attacks, including creating inbox rules that hide evidence of the breach from the account owner.
Researchers at Arctic Wolf observed Kali365-linked attackers accessing mailboxes, setting up malicious inbox rules, and registering new devices inside victim environments. Once inside, a single compromised account can expose far more than email.
Why Anyone Can Run This Attack Now
Kali365 isn’t custom malware built by a skilled hacking crew. It’s a subscription service, first spotted in April 2026 and distributed mainly through Telegram, that lets cybercriminals buy access to the tool itself.
That is what makes it so perilous when operated on a large scale. As the FBI, AI-generated phishing lures, automated campaign templates, real-time victim tracking dashboards, and OAuth token capture are the primary features that reduce the entry barriers.
Since the platform relies on AI-generated lures and is multi-lingual, it is accessible even to attackers who are less technically skilled, This way expanding the number of people capable of conducting these campaigns beyond just the very skilled hacking groups. One cybersecurity expert at Filigran openly characterized the event: phishing-as-a-service platforms are basically turning hacking into a subscription model business.
Who’s Exposed
Every organization running Microsoft 365 faces some exposure. Any employee who receives a device authorization request through what looks like a legitimate Microsoft page is a potential target.
Single sign-on makes the risk bigger than email. If a compromised account has SSO access to other cloud apps, attackers can reach those systems too. One phished employee can become a foothold across an entire business’s software stack.
How to Block Kali365 Attacks
Three changes close most of the gap this kit exploits.
- Restrict device code authentication: Block users from transferring authentication from computers to mobile devices, and exclude emergency access accounts from this restriction to avoid lockouts. This is the single most direct fix, since it disables the exact flow Kali365 abuses.
- Patch and update everything: Microsoft recommends keeping operating systems, software, and applications fully updated. Outdated systems give attackers more entry points beyond phishing alone
- Train people to spot the lure before they click: Never open files from unknown senders, and learn to recognize phishing attempts before they happen. Since Kali365 relies entirely on a human entering a code, catching the email early stops the entire chain.
The Bigger Pattern
Kali365 isn’t the first kit built to drain Microsoft 365 accounts at scale, and it won’t be the last. A phishing kit called W3LL, active since 2017, has been used by more than 500 threat groups to run roughly 850 campaigns targeting over 56,000 Microsoft 365 accounts, succeeding in about 8,000 cases and causing millions of dollars in losses.
What’s changed is speed and accessibility. Older kits like W3LL took years to build a following. Kali365 reached hundreds of attacks within weeks of its April 2026 debut, largely because it requires no real hacking skill, just a Telegram subscription and a target list.
For Microsoft 365 admins, the device code flow is worth disabling now, before the next version of this attack arrives with a different name.
