FBI Warns Microsoft 365 Users of Kali365 Phishing Attack Bypassing Passwords

The FBI has issued a serious warning about a new phishing method called Kali365 targeting Microsoft 365 users. This attack bypasses traditional authentication by exploiting Microsoft's "device code" login mechanism, allowing attackers to access accounts without knowing the victim's password. Kali365, first identified in April 2026 and mainly distributed via Telegram, operates as a phishing-as-a-service platform, providing automated tools, AI-generated messages, and systems to capture access tokens.

The attack begins when the attacker initiates a login attempt from their device, prompting the victim to receive a convincing email that appears to be a legitimate file-sharing service. This email contains a code and directs the victim to Microsoft's official authentication page. When the victim enters the code on the genuine Microsoft site, they inadvertently grant the attacker access. The attacker then obtains access and refresh tokens, enabling continuous access without further authentication.

Security experts highlight the significant risk this poses to businesses and organizations. Since the victim enters the code on a legitimate Microsoft page, many security tools and password managers fail to detect suspicious activity. Once inside an organizational email account, attackers can read communications, send fraudulent invoices, and impersonate trusted sources to other employees.

To mitigate these risks, the FBI and Microsoft security teams recommend users never enter device codes unless they initiated the login process, avoid clicking on unexpected links, and access Microsoft 365 directly through browsers. Organizations should regularly monitor login logs and connected devices, revoke unknown sessions immediately, and consider restricting device code usage through conditional access policies. In case of suspected compromise, immediate actions include logging out from all devices, changing passwords, and checking email forwarding rules. Organizations must promptly report incidents to their security teams to revoke stolen access tokens and prevent ongoing breaches.