Federal Bureau of Investigation officials warned Microsoft 365 users about Kali365, a phishing-as-a-service platform that targeted accounts through Microsoft’s device code sign-in process.
The FBI said Kali365 was first seen in April 2026 and had mainly spread through Telegram. The platform gave attackers AI-generated phishing messages, automated campaign templates, tracking dashboards, and tools to capture OAuth tokens, which can keep apps connected to an account without repeated password prompts.
According to the FBI, the scam did not rely on stealing a password. Instead, attackers sent phishing emails that appeared to come from a trusted productivity or file-sharing service and instructed users to enter a device code on a legitimate Microsoft verification page.
If a user entered the code, the attacker could capture access and refresh tokens and gain access to Microsoft 365 services, including Outlook, Teams, and OneDrive, without the victim’s password or another multifactor authentication prompt.
The FBI said a key warning sign was any unexpected request to enter a Microsoft device code, especially for a file, voicemail, invoice, or shared document the user did not request. Users also should be wary of urgent messages and avoid entering a device code unless they personally started the sign-in.
Microsoft said customers should follow the FBI’s recommendations and the company’s published best practices. It also said it works to disrupt phishing-as-a-service and account takeover activity, citing recent Digital Crimes Unit actions involving Fake ONNX, RaccoonO365, and Tycoon 2FA.
The FBI recommended that organizations restrict device code flow through conditional access policies, with limited exceptions for business needs, and audit current usage before making changes. The agency also recommended blocking authentication transfer policies and carefully excluding emergency access accounts if full restrictions were not possible.