The Federal Bureau of Investigation (FBI) has issued a public warning about a dangerous new hacking platform called Kali365, which allows cybercriminals to hijack Microsoft 365 accounts—including Outlook email, Teams, and OneDrive cloud storage—without ever needing a password. This Phishing-as-a-Service (PhaaS) toolkit is specifically designed to bypass multi-factor authentication (MFA), the standard security feature that sends a code via text message or an app to verify a user's identity.
How the ‘No-Password’ Trap Works
The FBI warned that Kali365 makes launching advanced cyberattacks so simple that even amateur hackers can easily execute them. Instead of trying to guess passwords, hackers exploit a legitimate Microsoft feature called the “device code flow.” This system is normally used to log users into devices with limited keyboards, such as smart TVs or streaming sticks.
The scam works in a few deceptive steps. First, the victim receives an official-looking phishing email impersonating common workplace tools like SharePoint, OneDrive, or Microsoft Teams. The email instructs the user to visit Microsoft's legitimate device login webpage and enter a short security code provided in the email. Since the user enters the code on a real Microsoft page and completes their normal MFA checks, Microsoft's system assumes a trusted device is logging in. It then generates a digital “access token” and hands it directly to the attacker. Once the hacker obtains this token, they have a permanent, wide-open backdoor into the victim's email and corporate files. They can stay logged in indefinitely without ever needing to know the user's password.
Why This Threat Is Growing
According to a report by the New York Post, security experts note that this hacking trend is a direct response to better corporate security. Because major tech companies have successfully pushed businesses to adopt MFA, hackers have adapted by building tools like Kali365 to bypass it entirely. When asked who is most at risk, Matt Burk, chief information security officer at Bespoke Concierge MD, warned that the threat is universal.
FBI’s Full Advisory on Kali365
The FBI issued a Public Service Announcement (PSA) to warn the public about Kali365, first seen in April 2026. Kali365 has been primarily distributed via Telegram, enabling cyber threat actors to obtain Microsoft 365 access tokens and bypass MFA protocols without intercepting the user's credentials. Through the Kali365 platform subscription, attackers can capture OAuth tokens and gain persistent access to targeted individuals' or entities' Microsoft 365 environments. Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time tracking dashboards, and OAuth token capture capabilities.
How the Scam Works
- Lure: An attacker sends a phishing email impersonating trusted cloud productivity and document-sharing services. This email contains a device code with instructions to visit a legitimate Microsoft verification page and enter the code.
- Authorization: The targeted individual navigates to the real Microsoft page and pastes the device code, unknowingly authorizing the attacker's device to access their account.
- Token Theft: The attacker captures OAuth access and refresh tokens, granting them access to the targeted individual's Microsoft 365 account.
- Persistence: The attacker can now access Microsoft 365 services such as Outlook, Teams, and OneDrive without needing a password or completing any additional MFA challenges.
Tips to Protect Yourself
Restricting device code flow to limit or block device authentication codes can help prevent or limit this style of attack. Create a conditional access policy to block device code flow for all users, with limited exceptions for required business processes. Audit existing device code flow usage to identify legitimate dependencies before creating a conditional access policy. Block authentication transfer policies to prevent users from transferring authentication from computers to mobile devices. If you cannot completely restrict device code flow usage, exclude emergency access accounts to prevent lockouts.
Report It
If you or someone you know has been impacted by the Kali365 phishing kit, file a complaint with the Internet Crime Complaint Center (IC3) at www.ic3.gov. Be sure to include any available information, such as phishing emails (email header, body), suspicious logins (time, IP address, location), and any unauthorized devices or active sessions added to the account.
