A new phishing platform called Kali365 is bypassing multi-factor authentication entirely, and it doesn’t need your password to do it. Here’s what Minneapolis-area businesses need to understand right now

On May 21, the FBI and IC3 issued a public service announcement about a phishing-as-a-service platform called Kali365. Available on Telegram for roughly 50/month, it puts sophisticated account takeover capabilities in the hands of attackers who don’t need technical skills to use it. And it’s specifically designed to get inside Microsoft 365 accounts without triggering your MFA.

If your team uses Outlook, Teams, or OneDrive, this is directly relevant to you.

The attack doesn’t look like an attack

That’s what makes Kali365 genuinely dangerous. There’s no fake login page. No spoofed website. No intercepted text message. The victim is directed to a real Microsoft page, types in a real code, and unknowingly hands the attacker persistent access to their entire Microsoft 365 environment.

Here’s how the sequence unfolds:

1.The phishing email arrives. An AI-crafted message impersonates a familiar service like SharePoint, DocuSign, or a document-sharing tool. It’s context-aware and built to pass standard email filters.

2.The target visits a legitimate Microsoft URL. The email instructs them to go to microsoft.com/devicelogin, a real Microsoft verification page. Nothing about the destination looks suspicious.

3.They enter the attacker’s device code. The code in the email is tied to the attacker’s device, not the user’s. Entering it links the attacker’s session to the victim’s account.

4.OAuth tokens are captured. Access is persistent. The platform intercepts valid OAuth access and refresh tokens. The attacker now has long-term, password-free access to Outlook, Teams, and OneDrive with no further MFA challenges required.

Why your MFA doesn’t stop this: The victim authenticates on Microsoft’s own domain. From Microsoft’s perspective, the login is completely legitimate. MFA was completed by the user, on a real page. The token theft happens after authentication is done, not during it.

What’s actually at risk

A compromised Microsoft 365 account isn’t just a breached mailbox. It’s an open door.

Outlook and email. Full mailbox access opens the door to business email compromise, wire fraud, and vendor impersonation. Finance, leadership, and operations teams are primary targets.

OneDrive. File exfiltration becomes trivial. Intellectual property, client records, contracts, and internal documents are all reachable without any additional authentication.

Microsoft Teams. The attacker operates under a trusted internal identity. This enables internal social engineering and lateral movement to other staff, vendors, and systems.

Supply chain and partners. If a compromised account belongs to an IT vendor or MSP, attackers can pivot downstream to their clients, creating cascading breaches across multiple organizations.

For organizations in healthcare, financial services, legal, or manufacturing, these aren’t abstract risks. A single compromised tenant can trigger HIPAA exposure, regulatory liability, or client notification requirements.

Because Kali365 uses AI to craft phishing lures tuned to look contextually legitimate, standard email gateway rules and basic user awareness training are not reliable defenses against the initial vector.

What to do about it

The FBI’s mitigations are specific and actionable. The fix isn’t a new product. It’s a policy configuration most organizations haven’t made yet.

•Block device code flow via Conditional Access. Create a policy in Microsoft Entra ID that blocks the OAuth 2.0 device authorization grant for all users. Most organizations have no legitimate need for this flow and don’t know it’s enabled.

•Audit before you block. Review existing device code flow usage first. Conference room systems, smart displays, printers, and IoT devices may depend on it. Identify dependencies so the policy doesn’t lock out critical equipment.

•Block authentication transfer policies. Prevent authenticated sessions from being transferred across devices. This closes a secondary vector Kali365 and similar platforms exploit to extend access.

•Protect emergency access accounts. If you can’t fully restrict device code flow, create exceptions only for break-glass accounts. This prevents an overly broad policy from locking your team out of critical systems during an incident.

The bigger picture

Kali365 is a symptom of a wider shift in how attacks are built. Phishing-as-a-service platforms commoditize capability that used to require real technical skill. When something this effective is available to anyone with 50 and a Telegram account, the barrier to entry for a serious breach drops to nearly nothing.

Password complexity rules, standard MFA deployment, and user awareness training are not sufficient controls against token theft. The defense has to move upstream: restrict the protocol, not just the credential.

If your organization hasn’t reviewed its Conditional Access policies recently, this is the signal. We review these configurations as part of our standard security assessments, and in most SMB environments we audit, device code flow is open and unmonitored.

Not sure if your Microsoft 365 environment is exposed?

RYMARK offers a free IT security consultation for Minneapolis-area businesses. We review your Conditional Access policies and identify exposure before an attacker does.

Call (651) 323-1775 or visit rymarkit.com to schedule your free consultation.

Sources: FBI/IC3 PSA260521 (May 21, 2026)|BleepingComputer|Infosecurity Magazine|Malwarebytes|Bitdefender