No Password Required: The Kali365 Phishing Kit Hijacking Microsoft 365 Accounts
The FBI is warning about Kali365, a subscription phishing kit that steals Microsoft 365 access without ever touching your password — and walks right past MFA. Here's how the trick works and the one setting that blocks it.
Most phishing scams try to steal your password. A new one the FBI is warning about doesn't bother — it tricks you into handing over access directly, and your multi-factor authentication won't stop it.
What happened
In May, the FBI's Internet Crime Complaint Center (IC3) published a public warning about Kali365, a "phishing-as-a-service" kit first spotted in April 2026. Phishing-as-a-service means exactly what it sounds like: criminals with no technical skills pay a subscription — reportedly starting around $250 a month — and get ready-made phishing campaigns, AI-written lure emails, and a dashboard to track victims. Researchers documented hundreds of attacks in April alone, across North America and Europe.
What makes Kali365 different is what it steals. Instead of your password, it steals an access token — a digital pass that proves to Microsoft you already signed in.
How the trick works
Microsoft 365 has a legitimate sign-in method called device code flow. It exists for devices with no keyboard, like a conference-room TV: the screen shows a short code, and you type that code into a Microsoft login page on your phone or laptop to connect the device.
Kali365 abuses that flow:
- The attacker starts a device sign-in to your account and gets a code from Microsoft.
- You receive a convincing email — often dressed up as your IT team asking you to "re-verify your account" — containing that code and a real Microsoft link.
- You enter the code on Microsoft's genuine login page, sign in, and approve your normal MFA prompt.
- Microsoft hands the attacker an access token. They now have your email, Teams, and OneDrive — no password stolen, no MFA alarm, because you did the approving.
Think of the token as a hotel keycard: once it's issued, the front desk doesn't re-check ID at the room door.
What to do this week
- Block or restrict device code flow. This is a setting in Microsoft Entra ID (the sign-in system behind Microsoft 365) called a Conditional Access policy. Most small businesses never use device code sign-in, so blocking it costs nothing. The FBI specifically recommends this.
- Tell your team the tell-tale sign. No legitimate IT process emails you a code and asks you to type it into a Microsoft login page. Real device codes only appear on a screen you are setting up.
- Check your sign-in logs for authentications labeled "device code" that you can't explain.
- If you suspect a compromise, have your IT person revoke active sessions for the account (this cancels stolen tokens), reset the password, and check the mailbox for forwarding rules the attacker may have added.
One quiet check worth doing
This attack succeeds in tenants where a rarely-used sign-in method was left open by default. That's the pattern behind most cloud break-ins: not exotic hacking, just an unlocked side door. Tenant Strike's read-only posture scan flags whether device code flow is open in your Microsoft 365 tenant, along with the other doors worth closing — no agents, no changes, just a clear list.
Sources: FBI IC3 PSA, CyberScoop, Malwarebytes
AI-researched from public sources, human-reviewed on July 7, 2026. We label AI-assisted writing — see our trust page.
See your own risk
Want this for your own Microsoft cloud?
Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.