The FBI Warns of Kali365: a Telegram-Sold Phishing Kit That Steals Your Microsoft 365 Session After You Pass MFA

Kali365 attacks the one place multi-factor authentication cannot help — because the victim successfully completes MFA on Microsoft's genuine sign-in page. On May 21, 2026, the FBI's Internet Crime Complaint Center warned organizations about this Telegram-sold phishing-as-a-service kit, which runs a device-code phishing attack and harvests the OAuth access and refresh tokens issued after authentication. A stolen refresh token is a durable, password-free, MFA-free key to a victim's Outlook, Teams, and OneDrive. Defenders who treat 'MFA is enabled' as the finish line are defending the wrong checkpoint.

WASHINGTON, D.C. — On May 21, 2026, the FBI's Internet Crime Complaint Center (IC3) issued a Public Service Announcement (PSA) warning organizations about Kali365, a fast-growing phishing-as-a-service (PhaaS) platform built to steal Microsoft 365 OAuth tokens and walk past multi-factor authentication (MFA) without ever capturing the victim's password. First seen in April 2026 and distributed primarily through Telegram, Kali365 runs a device-code phishing attack: a phishing email impersonating a trusted cloud or document-sharing service delivers a device code and instructions to enter it on a legitimate Microsoft verification page. Because the victim authenticates on Microsoft's genuine sign-in flow, MFA completes normally — and the operator harvests the OAuth access and refresh tokens issued afterward, granting persistent access to Outlook, Teams, and OneDrive with no password and no further MFA prompts. The PSA notes that Kali365 is frequently cited alongside EvilTokens, a parallel device-code phishing platform, and that Microsoft has reported hundreds of Microsoft 365 compromises occurring daily across affected environments.

What Happened

MFA Completes — and That Is the Problem

The detail that makes Kali365 worth a federal advisory is not that it is a new phishing kit. It is where the kit attacks. Kali365 does not spoof Microsoft's login page, and it does not try to capture the victim's password. The phishing email impersonates a trusted cloud or document-sharing service and asks the recipient to enter a short device code on a legitimate Microsoft verification page. The victim does exactly that — on Microsoft's real, genuine sign-in flow — and MFA completes normally, because there is nothing fraudulent about the authentication itself. The fraud happens one step later. The device-code flow exists so that input-limited devices can be authorized by a user signing in elsewhere; Kali365 abuses that legitimate flow so the operator, not a printer or a smart display, receives the OAuth tokens Microsoft issues once authentication succeeds. The victim passes every check. The operator collects the result.

Why the Refresh Token Is the Real Prize

Microsoft 365 issues two distinct tokens after a successful sign-in, and the difference between them is the whole story. The access token is short-lived — it authorizes requests for a limited window and then expires. The refresh token is the durable one: it is what a client uses to silently obtain new access tokens without prompting the user to sign in again. When Kali365 harvests both, the access token gives the operator an immediate foothold and the refresh token gives them a lasting one. A stolen refresh token is a password-free, MFA-free key to the victim's Outlook, Teams, and OneDrive that keeps working until it is explicitly revoked. Critically, a password reset alone does not invalidate it. That is why the FBI frames this as a session-theft problem rather than a credential-theft problem — the operator never needed the password, and changing it does not lock them out.

Phishing-as-a-Service Lowers the Barrier

Kali365 is sold, not hand-built per campaign. According to the IC3 advisory, the platform packages AI-generated phishing lures, automated campaign templates, real-time target-tracking dashboards, and OAuth token capture into a turnkey product distributed primarily through Telegram. Each of those components removes a skill requirement. AI-generated lures eliminate the broken grammar and clumsy phrasing that once gave phishing emails away. Automated templates and dashboards mean an operator does not need to build infrastructure or write code to run a campaign at scale. The result is that device-code phishing — a technique that previously rewarded patient, technical attackers — is now available to low-skill operators as a subscription. Note that the kit's name, Kali365, is unrelated to the Kali Linux penetration-testing distribution; the similarity is incidental and the two should not be conflated.

Scope and Impact

Kali365 is not an isolated novelty — it is the latest entry in a device-code and OAuth-consent phishing cluster that The CyberSignal has tracked through 2026. The clearest precedent is the Tycoon2FA OAuth device-code variant, which similarly turns Microsoft's own login page against Microsoft 365 by abusing the same authorization flow. What Kali365 adds is commoditization: where earlier device-code campaigns rewarded technical skill, the FBI now describes a packaged, AI-assisted product sold to anyone with a Telegram account. The advisory's note that Kali365 is frequently mentioned alongside EvilTokens underscores that this is a market, not a single tool — though the relationship, if any, between the two platforms' operators is not confirmed.

The harm from a successful Kali365 campaign is exposure of an entire Microsoft 365 identity, not a single mailbox. With a valid refresh token, an operator can read and send mail in Outlook, access conversations and files in Teams, and pull documents from OneDrive — all without tripping a password or MFA prompt. That breadth puts Kali365 alongside the broader 2026 pattern of attacks that sidestep traditional controls: Verizon's research on how vulnerability exploitation overtook credential theft as the top way attackers get in and Google's report on the first AI-developed zero-day used in a 2FA-bypass campaign both point to the same shift — defenders' assumptions about where the perimeter sits are increasingly out of date. Token theft is one more checkpoint that attackers have learned to step around rather than break.

Several things about Kali365 are genuinely not confirmed, and this account should not imply otherwise. The operators behind the platform and their location are unknown. The total number of organizations compromised via Kali365 specifically has not been established — Microsoft's 'hundreds daily' figure spans affected environments broadly, including activity attributed to EvilTokens. Kali365's pricing and subscriber count, whether any law-enforcement action against its infrastructure is underway, and the specific cloud and document-sharing brands most often impersonated in its lures are all unreported. Readers should treat the FBI advisory as a warning about a technique and a market, the way prior coverage treated post-authentication abuse in the Microsoft Defender UnDefend and RedSun zero-days — not as a finished casualty count.

Response and Attribution

For Microsoft 365 administrators and identity teams, the single highest-impact mitigation is to restrict or disable the device-code authentication flow wherever it is not needed: Microsoft Entra Conditional Access can block the device-code flow for users and locations that have no legitimate use for it, which removes the mechanism Kali365 depends on. Pair that with token-lifetime control — a stolen refresh token's value is proportional to how long it stays valid, so shorten token lifetimes, tighten refresh-token policies, and use Conditional Access with continuous access evaluation (CAE) to revoke sessions on risk signals. Moving to phishing-resistant authentication such as FIDO2, passkeys, or certificate-based credentials remains worthwhile, but defenders should understand its limits here: device-code phishing abuses the token issued after authentication, so the larger wins are flow restriction and token-lifetime control. Threat hunters should look for token-theft indicators — sign-ins from new or anomalous locations and devices using existing tokens, OAuth grants to unfamiliar applications, and Outlook, Teams, or OneDrive access inconsistent with the user's normal pattern. On a suspected compromise, revoke the account's refresh tokens and sign-in sessions; a password reset alone does not invalidate a stolen refresh token, and incident responders should keep a runbook for OAuth-token-theft incidents that is distinct from their credential-phishing playbook.

Security-awareness teams should retrain users on the specific shape of the Kali365 lure rather than generic phishing advice. The email asks the recipient to enter a device code on a real Microsoft page — and the legitimacy of that page is exactly what makes the request convincing. The teachable red flag is the action, not the appearance: a device code arriving by email and a prompt to authorize a device are the warning signs, not typos or a suspicious-looking login screen, because AI-generated lures have made 'look for bad grammar' obsolete. For CISOs, Kali365 is the clearest proof yet that MFA is a checkpoint, not a finish line. The 2026 PhaaS market — Kali365, EvilTokens, and the Tycoon2FA device-code variant among them — is built specifically to operate after successful MFA, and its commoditization is the structural story: AI-generated lures and turnkey dashboards mean low-skill operators can now run token-theft campaigns at scale. Identity-layer hardening — device-code flow restriction, token-lifetime control, and session revocation on risk — is now a baseline requirement, not an advanced control.

The CyberSignal Analysis

Signal 01 — The Victim Did Everything Right

Most coverage of this advisory will run as 'FBI warns of new phishing kit,' and that framing buries the point. In a Kali365 campaign, the victim is not tricked into surrendering a password on a fake page, because there is no fake page. They receive a code, they enter it on Microsoft's genuine verification page, and they complete MFA exactly as their security training taught them to. Every defense the user was asked to operate performs correctly. The kit simply collects the OAuth tokens that a successful sign-in produces. That reframes the defender's problem entirely: the failure is not user behavior and not a broken control, it is that the device-code authorization flow can be pointed at an operator instead of a legitimate device. You cannot train your way out of this one. The fix lives in the identity configuration, not the inbox.

Signal 02 — Stop Defending the Login, Start Defending the Session

MFA defends the moment of authentication. Kali365 does not attack that moment — it attacks what comes after it. The refresh token issued post-authentication is a durable, password-free, MFA-free credential, and an organization that treats 'MFA is enabled' as proof of safety is monitoring the wrong checkpoint. The operative shift for defenders is to move attention downstream: shorten token lifetimes so a stolen refresh token decays quickly, deploy continuous access evaluation so risk signals can kill a session mid-stream, and build detection around token use — anomalous sign-ins riding existing tokens — rather than around the phishing email alone. A password reset, the reflexive response to 'we were phished,' does nothing to a stolen refresh token. Session revocation is the action that matters, and most incident-response runbooks still do not call for it by default.

Signal 03 — Phishing-as-a-Service Is the Real Headline

The structural story is not Kali365 the kit; it is Kali365 the business model. A PhaaS platform that bundles AI-generated lures, automated templates, and real-time dashboards turns a technique that once demanded patience and skill into a subscription a low-skill operator can buy on Telegram. The FBI's note that Kali365 is one of at least two such platforms — EvilTokens being the other — confirms this is a competitive market, not a one-off tool. The 2026 PhaaS market is specialized: it is built to operate after MFA, against the token rather than the password. For security leaders, the implication is that identity-layer hardening can no longer be deferred as an advanced project. When token-theft campaigns are commoditized and sold at scale, restricting the device-code flow and controlling token lifetime become table stakes — the baseline an organization needs simply to not be the easy target.

Sources