
A new phishing as a service platform called Kali365 is targeting Microsoft 365 accounts.
The FBI is sounding the alarm on a new phishing platform that is catching Microsoft 365 users off guard not by stealing passwords, but by tricking people into handing over access without ever realizing it.
The platform, known as Kali365, first appeared in April 2026 and has been spreading primarily through Telegram. It targets Microsoft 365 accounts, including Outlook, Teams and OneDrive, and what makes it particularly concerning is that it can slip past multifactor authentication the extra layer of security that millions of users rely on to keep their accounts safe.
How Kali365 works
Kali365 operates as a phishing-as-a-service platform, meaning criminals can essentially subscribe to it and use ready-made tools to launch attacks. The kit provides AI-generated phishing messages, automated campaign templates and tools that capture what are known as OAuth tokens digital access keys that allow an app to stay connected to a Microsoft account without requiring a password each time.
The scam exploits Microsoft’s legitimate device code login process the same kind of flow used when signing into a streaming service on a smart TV, where a short code appears on screen and gets entered on another device to confirm the sign in.
In this case, a criminal initiates the sign in from their own device and sends the victim a phishing email that appears to come from a trusted file sharing or productivity service. The email includes a device code and directs the recipient to a real Microsoft verification page which is exactly what makes the attack so difficult to detect. The web address looks legitimate. A password manager may not flag it. But once the code is entered, the attacker captures access and refresh tokens, opening the door to Outlook, Teams and OneDrive without ever needing the victim’s password or triggering another authentication prompt.
Why small businesses are especially at risk
While anyone with a Microsoft 365 account is a potential target, small businesses face a particularly serious exposure. A compromised work account can give a criminal access to email threads, invoices, shared files, employee conversations and customer data. From inside Outlook, an attacker can study a person’s writing style and send messages that appear to come from a trusted colleague making it nearly impossible for recipients to recognize the threat.
13 ways to protect your Microsoft 365 account
Cybersecurity experts and the FBI have outlined a number of steps users and organizations can take to reduce their risk:
- Never enter a device code you did not personally request if one arrives via email or Teams, stop immediately.
- Go directly to Microsoft’s website rather than clicking links inside unexpected messages.
- Check your account for recent sign ins, connected devices and active sessions regularly.
- Revoke access for any suspicious sessions and change your password right away if you suspect a mistake.
- Keep multifactor authentication turned on it still blocks many attack types, even if it is not foolproof here.
- Use reputable antivirus software to catch phishing pages and malicious links before they cause damage.
- Consider a data removal service to reduce the personal information available on people search and data broker sites, which scammers use to craft convincing messages.
- Train employees specifically about device code scams, not just general password phishing.
- Restrict device code flow through conditional access policies if your business does not need it.
- Audit current device code usage before blocking it to avoid disrupting legitimate business processes.
- Block authentication transfer policies to prevent sign in approvals from being moved between devices.
- Protect emergency access accounts with exclusions if full restriction is not possible.
- Report any targeted or compromised accounts to the FBI‘s Internet Crime Complaint Center at IC3.gov, including phishing emails, login times, IP addresses and suspicious device information.
What to do if you already entered a code
Acting quickly is essential. Users should sign out of Microsoft 365 on all devices, change their password immediately, check that recovery contact information has not been altered, and review Outlook for any forwarding rules or inbox filters that may have been added without their knowledge. OneDrive files and recent Teams activity should also be reviewed. Anyone using a work account should notify their IT team right away, since stolen tokens can maintain access until they are manually revoked.
The core takeaway from the FBI’s warning is simple: slow down before entering any Microsoft device code especially one that arrived unexpectedly. A few extra seconds of caution could be all that stands between a secure account and a very costly breach.