Federal investigators have flagged a sophisticated new phishing platform that gives cybercriminals a direct route into Microsoft 365 accounts without ever needing a user's password. The FBI issued a public alert Thursday detailing the threat, which it says has been active since at least April.
The tool, known as Kali365, is distributed primarily through the encrypted messaging app Telegram. It allows attackers to bypass multi-factor authentication—a cornerstone of modern account security—by exploiting a feature called device code flow. The scam begins with a phishing email that mimics a trusted service, such as a document-sharing platform. According to the FBI, the email contains a device code and directs the recipient to a legitimate Microsoft verification page to enter it.
Once the user pastes the code into the real Microsoft site, they unknowingly authorize the attacker to access their account. From there, the intruder can capture authorization tokens, granting them full access to Microsoft 365 applications including Outlook email, Teams chat logs, and OneDrive files. No password or additional authentication step is required.
Kali365 lowers the barrier for less skilled cybercriminals by incorporating AI-generated phishing lures and real-time tracking of targets. The FBI warns that this makes the platform especially dangerous, as it can be used to conduct targeted attacks at scale. The rise of such phishing-as-a-service tools has drawn increasing concern from federal agencies; the White House recently issued an executive order framing cybercrime, fraud, and scams as an industrialized threat.
In response to the threat, the FBI recommends that organizations implement strict conditional access policies to block device code flow for all users except under limited, vetted circumstances. It also urges administrators to audit current code flow usage, restrict the ability to transfer authentication between devices, and ensure emergency access accounts are excluded from these policies to prevent lockouts.
Microsoft, in a statement to Nexstar, endorsed the FBI's guidance and added its own set of best practices. The company urged users to learn how to identify phishing attempts, avoid opening files from unknown senders, and keep operating systems and applications updated. Microsoft emphasized it is actively working to disrupt the cybercriminal ecosystems behind phishing-as-a-service and account takeover activity.
The warning comes amid a broader surge in cyber threats targeting critical infrastructure and corporate systems. Recent reports have highlighted Iranian cyberattackers breaching U.S. energy and water systems, as well as a sharp rise in malicious tax domains ahead of the filing deadline. The Navy also issued an urgent cybersecurity directive to personnel amid heightened tensions with Iran.
For organizations using Microsoft 365, the Kali365 threat underscores the need for layered defenses. Experts recommend combining conditional access policies with user education and regular security audits to mitigate the risk of token theft and account takeover.
