FBI Warns of New Kali365 Service Used to Hack Microsoft 365 Accounts Without Passwords

The FBI has warned about a new phishing-as-a-service platform called Kali365 that allows attackers to hijack Microsoft 365 accounts without stealing passwords or bypass multi-factor authentication protections.

The service first appeared in April 2026. According to the agency, Kali365 is being actively promoted in Telegram channels used by cybercriminals as a simple way to compromise corporate Microsoft 365 accounts, even for attackers with limited technical experience.

The attacks rely on OAuth Device Code Flow phishing. This is a legitimate Microsoft OAuth 2.0 authentication feature originally designed for devices with limited input options, including Smart TVs, conference room systems, printers, streaming devices, and IoT hardware.

Under normal circumstances, users visit microsoft.com/devicelogin, enter a short verification code, and approve the login from another device. Attackers have now started abusing this exact authentication process.

The method itself is relatively simple. Threat actors generate an authorization code on their side and then trick victims through phishing emails or social engineering into entering it on Microsoft’s official login page.

Once the victim completes the login process and passes MFA verification, Microsoft issues an OAuth access token. That token then gives attackers full access to the account without needing to steal passwords or intercept two-factor authentication codes.

Using single sign-on access, threat actors can move beyond Microsoft 365 and reach other cloud services connected to the same corporate identity, including Salesforce and additional SaaS platforms. The compromised access is later used for data theft and maintaining persistence inside the network.

Groups such as ShinyHunters and several ransomware operators have already been linked to attacks using device code phishing combined with voice phishing techniques against Microsoft Entra environments.

According to the FBI, Kali365 lowers the barrier for cybercriminals by packaging advanced phishing capabilities into a ready-to-use service. The platform includes AI-generated phishing lures, automated attack templates, live victim tracking dashboards, and tools designed to capture authentication tokens.

Security researchers from Arctic Wolf also observed Kali365 activity while investigating a large-scale campaign targeting organizations across multiple countries.

Researchers said victims were redirected to Microsoft’s legitimate device login portal, where they unknowingly entered attacker-generated codes. After gaining access to corporate mailboxes, the attackers created malicious inbox rules to conceal their activity and, in some cases, registered additional devices inside the victims’ Microsoft environments to expand access.

Arctic Wolf researchers described Kali365 as a structured cybercrime operation with administrators managing the platform, resellers promoting the service, and affiliates carrying out phishing attacks.

The platform currently supports two separate attack methods. One focuses on traditional device code phishing, while the second uses an adversary-in-the-middle technique known as “Cookie Link.”

In Cookie Link mode, victims authenticate through attacker-controlled infrastructure, allowing threat actors to capture browser sessions, session cookies, and authentication tokens even after MFA has been completed successfully.

The FBI is advising organizations to restrict or fully disable Device Code Flow through Conditional Access policies whenever possible, closely monitor device code authentication activity, and prevent authenticated sessions from being transferred between devices.

The agency also urged companies to report incidents to the Internet Crime Complaint Center and preserve evidence such as phishing emails, suspicious login activity, and unauthorized device enrollments.

Device code phishing became one of the fastest-growing attack techniques targeting Microsoft 365 in 2026, with more cybercriminal groups now adopting the method as part of their phishing operations.