FBI Warns Kali365 Phishing Kit Bypasses Microsoft 365 MFA

The Federal Bureau of Investigation issued a public warning on May 21 about a phishing kit called Kali365 that hijacks Microsoft 365 accounts without ever stealing a password. The kit, first seen in April, captures OAuth access tokens and refresh tokens through Microsoft’s own device code login page, slipping past multi-factor authentication on Outlook, Teams, and OneDrive.

The technique was a Russia-aligned espionage tool 15 months ago, used to break into government and defense networks across Europe. Today it sits behind a Telegram subscription priced like enterprise software, packaged with AI-written lures and a dashboard for tracking which victims clicked.

The Mechanic Inside the Kit

The attack chain looks almost mundane on paper. A target receives an email that mimics a routine Microsoft notification, often something about a shared document, a Teams meeting invite, or an expiring account. The email includes a short alphanumeric code and a link that leads to a real Microsoft sign-in page on microsoft.com. The page is genuine, and so is the link.

When the recipient pastes the code and signs in with their password and MFA (multi-factor authentication) prompt, each successful sign-in completes a session that the attacker started a few minutes earlier from a different machine, not the victim’s own laptop. The kit running on the attacker’s side then collects a valid OAuth access token and a refresh token, the two credentials Microsoft uses to keep apps signed in across browser closes and reboots.

Arctic Wolf Labs, which investigated the earliest intrusions, traced the campaign to IP address 216.203.20.95 and to a user-agent string that read kali365-live/1.0.0. The infrastructure runs on Cloudflare Workers, lives at v2.kali365.xyz, and ships with a desktop Electron app the buyer uses to manage stolen tokens. None of that is visible to the person clicking the email.

What victims see on screen is Microsoft’s own copy, served by Microsoft’s own servers, asking for a code the attacker chose. The FBI bulletin describes the technique as a way to “obtain Microsoft 365 access tokens and bypass multi-factor authentication.” The whole approach depends on the user completing a legitimate Microsoft consent screen on behalf of the attacker.

Why Device Code Flow Is the Weak Door

Device code flow is one corner of OAuth 2.0 (Open Authorization, the protocol that lets apps log into a user’s account without ever handling the password). Microsoft built the flow for low-input devices like smart TVs, printers, Xbox consoles, and command-line tools that cannot easily render a full login form. The user starts the sign-in on the constrained device, then walks over to a phone or computer to authorize it with a short code.

Nothing in the protocol asks whether the device that started the request belongs to the user finishing it. As long as the codes match and the user authenticates, the token gets issued. Bitdefender’s threat-research writeup describes the asymmetry as threat actors who “initiate a device login request themselves and socially engineer a victim into completing the authorization on their behalf.” The kit handles the developer-facing side of the OAuth handshake. The victim handles the user-facing side. Microsoft sees one coherent session.

Once the token lands, the attacker rarely needs to log in again. Refresh tokens stay valid for up to 90 days in default Entra ID (Microsoft’s identity service formerly known as Azure Active Directory) configurations. A password reset does not invalidate them. A new MFA enrollment does not invalidate them. Only an explicit token revocation does.

$250 a Month, Telegram Storefront

The kit prices its access like a SaaS product. A subscriber pays $250 per Microsoft 365 tenant for a month or $2,000 for a year, in cryptocurrency, through a vendor that runs a three-tier resale structure: an Admin tier at the top, Agent resellers in the middle, and Client affiliates at the customer end. Token sharing between affiliates is built into the platform.

The package itself is what makes the offering unusual. Buyers receive phishing lures auto-generated in 14 languages, multiple document attachment formats, real-time dashboards showing which targets opened which message, and a desktop client for managing stolen tokens. Arctic Wolf’s incident-response writeup calls it “a three-tier, multi-tenant PhaaS platform” (Phishing-as-a-Service, the criminal analogue of a software subscription) and lists the User-Agent string kali365-live/1.0.0 as one of the cleaner indicators security teams can grep for in their logs.

Kali365 has primarily been distributed via Telegram, enabling cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication.

That sentence sits at the top of the FBI’s alert I-052126-PSA. The numbers behind it matter for defenders:

• $250 per month: per Microsoft 365 tenant, paid in cryptocurrency
• $2,000 per year: annual rate, same payment rail
• 14 languages: supported by the AI-generated phishing lure engine
• April 2026: first observed in the wild, per the FBI bulletin

From Storm-2372 to Mass-Market Kit

Microsoft first published detailed analysis of device code phishing in February 2025, tagging a Russia-aligned group it tracks as Storm-2372. That campaign, active since August 2024, hit government agencies, defense contractors, telecommunications providers, and energy sector targets across Europe, North America, the Middle East, and Africa. Microsoft attributed the activity with high confidence to Russian state interests.

Storm-2372’s tradecraft was bespoke. The group ran its own infrastructure, wrote its own lures, and tailored messages to individual targets through Signal, WhatsApp, and Teams chat. Proofpoint and Volexity tracked variants through 2025, with Proofpoint reporting a sharp rise in device code phishing usage by September.

What separates Kali365 from that earlier wave is productization. The same technique that needed a dedicated APT (advanced persistent threat) team is now a turnkey kit with documentation, customer support channels, and a dashboard.

Side by side, the contrast is sharp:

The pattern matters because device code phishing now follows the same commoditization arc that hit ransomware in 2019 and stealer malware in 2022. A nation-state technique becomes a tooling provider’s offering, then a subscription, then a Telegram listing with screenshots. For defenders the difference is volume: Arctic Wolf documented hundreds of distinct intrusions across April alone, spanning industries that share no obvious threat profile beyond running Microsoft 365.

Who’s Been Hit and Where

Arctic Wolf’s incident data shows targets across six industry verticals, with a geographic split between North America and EMEA (Europe, the Middle East, and Africa). Common to almost every victim: multi-factor authentication was switched on, sometimes with conditional access policies the security team thought were already strict. Sectors hit in the April wave:

• Manufacturing
• Education
• Government and public sector
• Insurance
• Financial services
• Healthcare

Across these verticals the attack profile looked similar. Initial lures impersonated Microsoft, Adobe DocuSign, and SharePoint file-share notifications. Phishing pages, when used at all, rendered on Cloudflare Workers and lived on subdomains that aged out within days. The persistence the attackers achieved came through OAuth refresh tokens, not through new accounts or rogue inbox rules, which is what most legacy phishing detection looks for.

That last detail is what makes the kit hard to spot. Security operations centers tuned for credential theft tend to watch for impossible-travel signals, password resets, and new MFA device registrations. A token capture leaves none of those traces. The attacker signs in from an IP address Microsoft has not flagged, the user’s account shows a successful authentication, and email starts being read silently in the background.

What Microsoft 365 Users Can Do Today

For individuals and IT teams, the response splits into immediate and structural fixes. The FBI bulletin and Microsoft’s own conditional access guidance converge on a single recommendation: turn off device code flow wherever it is not actually needed.

For Individual Users

The shortest rule is the most useful. Do not enter a sign-in code that arrived in an email you did not request. Microsoft never sends an unsolicited device code asking the user to sign in to verify an account. Specific actions:

1. Treat any email containing a sign-in code with the same caution as an email asking for the password itself.
2. If a code was already entered, change the account password and revoke active sessions through the Microsoft account security page.
3. Report the email through Outlook’s Report Phishing option, then file a complaint with the FBI’s Internet Crime Complaint Center.

For IT Administrators

Conditional access policy in Entra ID is the structural fix. Microsoft’s updated guidance on blocking authentication flows walks through the steps; for most tenants they look like this:

1. Audit existing device code flow usage in sign-in logs before enforcing the block, to identify legitimate cases like Microsoft Teams Rooms or kiosk devices.
2. Build a conditional access policy targeting all users and all cloud apps, with the authentication flow condition set to “Device code flow, Block.”
3. Layer in authentication transfer blocking as a second policy to cover related token-passing flows.
4. Exclude only break-glass emergency access accounts from the block.

Arctic Wolf’s writeup recommends pairing the block with Microsoft Entra ID Protection sign-in risk policies and a quick review of OAuth app consent grants in the tenant. The few legitimate device code use cases, mostly legacy shared kiosks, can be scoped to specific user groups or trusted network locations. The FBI bulletin is the third major device code phishing warning in 15 months. The next one will arrive when the next kit does.

Frequently Asked Questions

What does the FBI’s Microsoft 365 phishing alert cover?

The May 21 bulletin describes a phishing-as-a-service kit sold via Telegram that targets Microsoft 365 accounts through the OAuth device code authentication flow. The FBI did not name a specific operator group; Arctic Wolf Labs traced early attacks to infrastructure at IP 216.203.20.95 and to subdomains under kali365.xyz.

Does multi-factor authentication still protect my Microsoft 365 account?

Multi-factor authentication still protects against password theft, but it does not stop this specific technique because the user completes the genuine MFA prompt themselves. The attacker’s session inherits the resulting token. Blocking device code flow at the tenant level is the only complete fix for organizations that do not use the flow for legitimate purposes.

What should I do if I think I entered a code from a phishing email?

Change the account password immediately, sign out all active sessions through the Microsoft account portal, and notify your IT or security team so refresh tokens can be revoked. File a complaint with the FBI’s Internet Crime Complaint Center at ic3.gov, attaching the phishing email and any sign-in codes that were used.

Are individual home users at risk or only corporate accounts?

Both. The kit targets any account with a Microsoft 365 sign-in, which includes consumer Outlook.com, OneDrive, and Microsoft 365 Family subscriptions. Most documented intrusions so far have hit corporate tenants, since those carry higher-value email and document data, but the technique works against any account that can complete a device code login.

Can antivirus or email-security tools block this attack?

Conventional email filters can catch some of the lure emails, especially the AI-generated ones that reuse common templates, but the attack itself uses no malicious attachment and no fake login page. The link in the email points to microsoft.com. Detection has to shift toward Entra ID sign-in telemetry, conditional access enforcement, and user reporting rather than payload scanning.