Kali365 is a rapidly emerging Phishing-as-a-Service (PhaaS) kit that specifically targets Microsoft 365 environments by stealing OAuth authentication tokens, bypassing Multi-Factor Authentication (MFA) entirely. On May 21, 2026, the FBI issued Public Service Announcement I-052126-PSA, warning organizations about the severity of this threat. This blog outlines the details on Kali365, the FBI advisory, and the critical security measures Administrators must implement to protect their Microsoft 365 environments.
How does Kali365 attack Microsoft 365 environments?
Kali365 exploits a legitimate Microsoft authentication feature called the OAuth 2.0 Device Authorization Grant Flow — a technique known as **device code phishing**. The attack unfolds in three steps:
1. The attacker sends a phishing email that impersonates a trusted service, such as SharePoint, DocuSign, Adobe Acrobat Sign, or OneDrive.
2. The victim navigates to the genuine Microsoft page (microsoft.com/devicelogin) and enters the provided code, unknowingly authorizing the attacker's device to access their account.
3. The attacker's infrastructure captures the resulting OAuth access and refresh tokens. From there, the attacker gains persistent access to the victim's Microsoft 365 services, including Outlook, Teams, SharePoint, and OneDrive, without needing a password or completing any additional MFA challenges.
Once a threat actor captures OAuth access and refresh tokens, they can maintain persistent access to the victim's Microsoft 365 account for an extended period. Attackers have been observed creating malicious inbox rules to suppress security alerts, registering new devices in the victim's environment for Primary Refresh Token (PRT) acquisition, reading and exfiltrating emails, accessing sensitive files in OneDrive, and monitoring communications via Teams. Because credentials are not directly stolen, traditional security alerts may not be triggered, significantly increasing the attacker's dwell time.
What is the FBI Advisory about Kali365?
On May 21, 2026, the FBI's Internet Crime Complaint Center (IC3) published Alert Number I-052126-PSA — a formal Public Service Announcement titled "Kali365 Phishing-as-a-Service Kit Hijacks Microsoft 365 Access Tokens." The advisory warns that Kali365 enables cyber threat actors to obtain Microsoft 365 access tokens and bypass Multi-Factor Authentication without intercepting the user's credentials. The FBI confirmed that the platform has been distributed primarily via Telegram since April 2026.
The FBI's recommended protective measures include:
1. Restrict device code flow by creating a Conditional Access policy in Microsoft Entra ID to block device code flow for all users, with limited exceptions for documented and required business processes.
2. Audit existing device code flow usage to identify legitimate dependencies before enforcing the block.
3. Block authentication transfer policies to prevent users from transferring authentication sessions from computers to mobile devices.
The FBI urges anyone impacted by Kali365 to file a complaint with the IC3 at https://www.ic3.gov/PSA/2026/PSA260521
What are the security measures to be implemented?
Organizations must take immediate, layered action to defend against Kali365 and similar device code phishing threats. The following security measures and policies are strongly recommended based on guidance from the FBI, Microsoft, Arctic Wolf, and CIS best practices:
- Block Device Code Flow via Conditional Access Policy
- Block Authentication Transfer via Conditional Access Policy
- Deploy Phishing-Resistant Multi-Factor Authentication
- Block Legacy Authentication
- Risk-Based Conditional Access (Sign-in Risk & User Risk)
- Configure SPF, DKIM, and DMARC
- Enable Continuous Access Evaluation (CAE) and Token Protection
- Monitor and Audit Sign-In Logs
- Implement Microsoft Defender for Office 365
- Conduct User Awareness Training Focused on Device Code Phishing
- Revoke and Rotate Tokens Immediately Upon Suspected Compromise.
Helient strongly recommends that Administrators immediately assess their Microsoft 365 environments for exposure to Kali365 and device code phishing attacks. Implement the security measures in the Microsoft 365 tenant, and conduct targeted user awareness training as soon as possible. If you would like more information or assistance on securing your Microsoft 365 environment against Kali365 and similar advanced phishing threats, please contact our industry-leading experts at service@helient.com.
2 minute read
