A $250 crime kit now lets low-skill crooks stroll past your Microsoft 365 multi-factor authentication as if you opened the door for them.
Story Snapshot
- Kali365 is a “phishing-as-a-service” platform that steals Microsoft 365 tokens, not passwords.
- Attackers can hijack Outlook, Teams, and OneDrive even when multi-factor authentication (MFA) is turned on.
- The Federal Bureau of Investigation (FBI) says Kali365 mainly spreads through Telegram and targets device codes.
- A single bad click on a real Microsoft page can silently grant hackers ongoing access to your digital life.[1]
FBI’s Kali365 Warning: Why This One Broke Through the Noise
The Federal Bureau of Investigation issues many dry cyber alerts that never hit cable news, but Kali365 broke through because it goes after something millions of people trust: multi-factor authentication.
The Bureau’s Internet Crime Complaint Center describes Kali365 as an “emerging phishing-as-a-service platform” that steals Microsoft 365 access tokens and bypasses multi-factor authentication without ever intercepting your password.
That single detail flips the mental model many people have about online safety and account lock-down.
FBI issues urgent Kali365 security warning for Teams, Outlook, OneDrive usershttps://t.co/J22HOHtP4C
— The Hill (@thehill) June 15, 2026
Phishing-as-a-service means a criminal no longer needs great technical skills to run a professional-looking campaign. For about $250 a month, a buyer gets access to Kali365’s dashboards, automated templates, and artificial intelligence-generated email lures that impersonate trusted cloud and document services.[2][4]
Those who value personal responsibility might see the core problem: powerful identity systems sit in the hands of big tech, while low-skill criminals rent turnkey kits that exploit those same systems at scale.
How Kali365 Uses Microsoft’s Own Security Flows Against You
Kali365 does not trick you into a fake login page; it abuses a real Microsoft feature called the device code flow.[1] That feature exists so people can sign in on devices with awkward or no keyboards, such as smart televisions or conference room screens.
The attacker sends an email that appears to be a standard “document shared” notice from a service like SharePoint or Adobe Sign, complete with a device code and friendly instructions.[1][4] The message tells you to visit a legitimate Microsoft verification page and enter the code.
When you comply, you never see anything that screams “scam” because the page, the padlock, and the domain are all real Microsoft infrastructure.
Under the hood, though, the code you type authorizes a malicious application registration controlled by the attacker. Microsoft issues OAuth access and refresh tokens tied to your account, and the Kali365 backend, which has been quietly polling for those tokens, scoops them up.
You passed your own multi-factor prompt on your own device, but you effectively blessed the attacker’s device to act as you.
Tokens, Not Passwords: Why This Feels Like Cheating the Rules
Traditional advice has drilled in two rules: do not share your password, and always turn on multi-factor authentication. Kali365 sidesteps both by grabbing the digital “remember me” badges that sit behind the login process.
Those badges, called tokens, tell Microsoft you already proved who you are, so the system lets you into Outlook, Teams, and OneDrive without asking again.[1][3] As long as the refresh token remains valid, the criminal can quietly log in repeatedly, often without triggering basic alerts.
Once inside, attackers can read email, watch Teams chats, and browse or copy files from OneDrive and SharePoint.[1][3][4] A criminal who lands in a small business owner’s account can reset passwords at other sites, reroute invoices, or plant new phishing messages from a trusted address.
Huntress research shows that the broader Kali365 ecosystem even includes post-compromise tools for business email compromise, bulk lures, and turning stolen tokens into live browser sessions. The result is not a one-and-done theft, but a foothold for longer fraud.
Is Kali365 New Threat or New Branding? Sorting the Spin
Security professionals in online forums were quick to point out that device code phishing has existed for years and is not unique to this brand. Their concern is not that the Federal Bureau of Investigation is wrong about the technique, but that naming a single kit could make an old problem sound sudden and mysterious.
That said, the Bureau’s own alert, along with separate reporting from outlets and independent labs, all agree that Kali365 packages these tricks into an easy-to-subscribe-to product with real scale.[3]
🚨 FBI WARNS MICROSOFT USERS ABOUT NEW KALI365 PHISHING SCAM.
The FBI is alerting Microsoft 365 users about a fast‑growing phishing‑as‑a‑service scam called Kali365. The tool helps attackers steal OAuth tokens and slip past multi‑factor authentication. It uses AI‑generated lures… pic.twitter.com/67AwdkqBdi
— The Content Factory (@tcf_updates) June 16, 2026
The pattern is familiar: centralized technology giants roll out complex login systems, criminals adapt fast, and the average citizen carries the risk.
The market now offers crimeware with AI-crafted lures and slick user interfaces, while many American families and small businesses struggle to maintain basic cyber hygiene.
The facts push toward a simple mindset: do not outsource all safety to big platforms; understand one or two key behaviors that blunt these attacks at the human level.
Practical Moves: One Habit That Stops Most Kali365 Attacks Cold
The most powerful defense is not a new gadget; it is a mental speed bump. The Federal Bureau of Investigation and expert analysts stress one rule: never enter a verification code on a Microsoft page unless you started that sign-in yourself, on your own device.[1]
If an email sends you a code and urges you to “verify” or “unlock a shared document,” treat it as a red flag, even if the link leads to a legitimate Microsoft site. Close the email, and start a fresh login from your normal bookmark.
For businesses, identity needs more than a simple multi-factor toggle. Security agencies and Microsoft point to conditional access rules that limit who can connect, from where, and on which devices.[1]
Administrators can disable or restrict the device code flow entirely if no one in the organization truly needs it.
Regular users should learn how to review active sessions and connected devices in their Microsoft 365 account and report anything odd to their information technology staff or through the Internet Crime Complaint Center.
Sources:
[1] Web – FBI issues urgent Kali365 security warning for Teams, Outlook, …
[2] Web – FBI warns of Kali365 phishing scam targeting Microsoft 365 users
[3] Web – FBI warns about PhaaS platform used to access Microsoft 365 …
[4] Web – FBI warns Microsoft Teams, Outlook, OneDrive users of phishing scam
