Kali365, a phishing-as-a-service kit the FBI flagged in late May, breaks into Microsoft 365 accounts without stealing a password and without tripping a single security prompt. It works by tricking an employee into approving the attacker’s own login on a genuine Microsoft page, then quietly pocketing the access pass that login hands out.
That design is no accident. Multi-factor authentication (MFA, the security check that texts or pings a code to confirm who you are) got so good at stopping password theft that attackers stopped bothering with passwords at all. This kit is what the workaround looks like once it becomes cheap enough for amateurs to rent.
The FBI Put a Name to the Kit: Kali365
The bureau’s Internet Crime Complaint Center (IC3, the FBI’s online fraud reporting arm) published its alert on May 21, warning that the toolkit had been circulating since April. The agency labels it a phishing-as-a-service (PhaaS, a subscription model where one crew builds the attack tools and rents them out to others) platform, and the rental piece is what worries defenders most.
Run by a small group and sold mostly through Telegram, the kit hands a buyer everything needed to run a campaign: AI-written lure emails, ready-made templates, a live dashboard showing who has clicked, and the plumbing to grab login tokens. Security researchers tracking it say a subscription runs about $250 for a month or $2,000 for a year, cheap enough that a buyer needs almost no technical skill.
- April 2026: the first month the FBI says the kit was spotted in the wild.
- $250 a month: roughly what an affiliate pays to rent the full toolkit, per researchers tracking it.
- Hundreds of organizations across North America and Europe were hit in the weeks after it launched.
That low bar is the story. Device code attacks used to be the work of state-backed crews writing custom code. Now the same trick ships with a help menu. You can read the FBI’s public service announcement on the Kali365 kit in full on the IC3 site.
How the Device Code Trap Springs Shut
Device code flow is a normal, legitimate part of how Microsoft accounts work. It exists for gadgets with no real keyboard: a smart TV, a printer, a streaming stick, anything where typing a password is a chore. You get a short code on the awkward device, then enter it in a browser on your phone or laptop to finish the login. The kit turns that convenience into a doorway.
Here is the sequence, start to finish:
- The lure. A phishing email arrives dressed up as a SharePoint, OneDrive, or Microsoft Teams notice. It carries a short device code and tells you to visit a Microsoft verification page to continue.
- The handoff. You go to the real Microsoft login page, type in the code, and sign in normally. Everything you see is genuine, including the MFA prompt you approve.
- The token grab. Because you entered the attacker’s code, you have authorized the attacker’s device, not your own. Microsoft issues an access token and a refresh token, and the kit captures both.
- The stay. With those tokens, the intruder reads Outlook, sits in Teams, and browses OneDrive with no password and no further checks, for as long as the tokens stay valid.
Nothing about the experience feels wrong to the victim. They visited a real page, passed a real security check, and saw a real success screen. The damage happens on a machine they never see.
Why a Completed MFA Prompt Becomes the Weak Spot
What the attacker walks away with is an access token, a digital pass the service issues the moment a login succeeds. The token is itself the proof that MFA already happened. So when the intruder presents it later, the system has no reason to ask for another code. It sees a session that already cleared every gate.
That is why MFA, for all its muscle, misses this. Microsoft’s own numbers on the defense still hold: accounts with MFA switched on are roughly 99.22% less likely to be compromised, and the company says more than 99.99% of MFA-protected accounts survived its study window. Those figures describe attacks aimed at the password. This kit never goes near the password, so the password math does not apply.
It fits a wider shift in how break-ins happen. CrowdStrike’s 2026 Global Threat Report found that 82% of its detections last year were malware-free, with intruders logging in rather than breaking in. Adversary-in-the-middle phishing, which proxies a genuine login to skim the resulting token, has become the house style. Device code phishing is a close cousin that skips even the fake page.
| Technique | What the victim does | What the attacker steals | Does standard MFA stop it? |
|---|---|---|---|
| Classic credential phishing | Types password into a fake site | Username and password | Usually yes, the code blocks reuse |
| Adversary-in-the-middle | Logs in on a proxy that mimics the real site | The post-login session token | No, the token already cleared MFA |
| Device code phishing | Enters a code on the real Microsoft page | OAuth access and refresh tokens | No, the victim approves it themselves |
Read across that table and the pattern is plain. The newer the trick, the less the password matters and the harder a code-based check has to work. Microsoft’s research on multi-factor authentication effectiveness is worth keeping in view here: MFA still wins the fight it was built for, which is precisely why attackers picked a different fight.
From Storm-2372 to a Rented Service
This did not appear from nowhere. In February 2025, Microsoft exposed a campaign it tracks as Storm-2372, a crew it assessed with moderate confidence as aligned with Russian interests. That group sent fake Microsoft Teams meeting invites, baited targets into entering device codes, and used the stolen tokens to register attacker-controlled devices and pull a Primary Refresh Token (PRT, a master credential that unlocks broad access). The activity ran quietly from around August 2024 before going public.
By April this year the technique had leveled up. Microsoft’s threat researchers described attackers spinning up thousands of short-lived servers on automation platforms like Railway.com and generating device codes on the fly, so the codes stayed live through the whole login window rather than expiring in 15 minutes.
This activity marks a significant escalation in threat actor sophistication since the Storm-2372 device code phishing campaign observed in February 2025.
That assessment comes from Microsoft’s breakdown of the AI-enabled device code phishing campaign. The throughline is uncomfortable: a method that began as bespoke spy tradecraft has, in about a year, been productized and put on a monthly plan.
Who the Toolkit Is Hunting
When the technique was nation-state property, the victims read like a target deck. Storm-2372 went after government bodies, NGOs, IT and technology firms, defense, telecom, health, higher education, and energy across Europe, North America, Africa, and the Middle East. Big organizations, careful selection, patient operators.
The rented model changes the shape of that. Microsoft’s post-attack analysis of the April wave found operators using automated enrichment, scraping public profiles and corporate directories, to home in on people in financial, executive, and administrative roles, the accounts that can move money or approve access. The kit does that targeting work for buyers who could not do it themselves.
So the pool of likely victims widens in two directions at once. The people most worth hitting are still senior staff with reach across a company’s systems. But the people now able to hit them include any subscriber with $250 and a Telegram account, not just a funded intelligence service. That combination is what turns a specialist threat into a volume business.
Closing the Device Code Door
The good news is that the doorway can be bricked over, and most companies do not need it open. Device code flow is rarely used in everyday work, which is why Microsoft now recommends blocking it wherever a business can. The fix lives mostly with IT teams, but employees have a role too.
What Admins Can Lock Down
The core move is to switch off the flow for everyone who does not have a documented reason to use it.
- Create a Conditional Access policy in Microsoft Entra that will block device code flow for all users, granting narrow exceptions only for legacy hardware that genuinely needs it.
- Audit current device code usage first, so the policy does not break a tool the business quietly depends on.
- Block authentication transfer policies that let a session hop from a computer to a phone.
- Exclude emergency, break-glass admin accounts from the policy to avoid locking everyone out if it is misconfigured.
- Move high-value accounts to phishing-resistant MFA, such as FIDO (Fast Identity Online, a passwordless hardware-key standard) tokens or passkeys, which bind the login to the device.
Microsoft’s step-by-step setup lives in its documentation on blocking authentication flows with Conditional Access, and its earlier writeup of the Storm-2372 device code campaign spells out the indicators to hunt for.
What Users Can Watch For
For everyone else, the tell is the request itself. No legitimate email needs you to copy a code into a Microsoft verification page to open a document or join a meeting. Treat any message that does as suspect, and check your account’s list of signed-in devices for names you do not recognize.
Device code flow stays switched on by default in most Microsoft 365 tenants. Leave it that way, and the next kit rented over Telegram works exactly like this one. Block it for everyone who does not need it, and the token trick has nowhere left to land.
Frequently Asked Questions
What Is Kali365?
It is a phishing-as-a-service kit first seen in April 2026 and sold mostly through Telegram. It lets buyers hijack Microsoft 365 accounts by capturing OAuth tokens, opening Outlook, Teams, and OneDrive without ever needing the victim’s password.
How Does Device Code Phishing Bypass MFA?
It does not break MFA; it borrows the result. The victim completes a real login and MFA check on a genuine Microsoft page, unknowingly approving the attacker’s device. The token issued afterward already proves MFA happened, so the system never asks for another code.
Does the Kit Steal My Password?
No, and that is what makes it dangerous. The attacker never sees or needs your password, so changing it does not push them out. Revoking active sessions and tokens is what actually cuts their access.
How Do I Know If I Have Been Targeted?
Watch for emails pressing you to enter a code on a Microsoft verification page, unexpected device sign-ins, or unfamiliar devices listed under your account. Sudden new mailbox rules or logins from odd locations are also warning signs.
How Do I Block Device Code Flow in Microsoft 365?
Administrators can create a Conditional Access policy in Microsoft Entra that blocks device code flow for all users, with narrow exceptions for legacy hardware. Audit existing usage first and keep break-glass emergency accounts excluded.
What Should I Do If My Account Was Compromised?
Report it to the FBI’s Internet Crime Complaint Center at ic3.gov, including the phishing email, suspicious login times and IP addresses, and any unfamiliar devices. Then revoke active sessions and reset credentials.
