Kali365: the phishing kit bypassing Microsoft 365 security

If your business uses Microsoft 365, there’s a phishing threat doing the rounds right now that’s worth understanding. The FBI issued an alert on 21 May 2026 about Kali365, a phishing-as-a-service platform that’s making account hijacking cheaper and easier for criminals to run at scale.

Unlike older phishing tactics that try to steal passwords, this one works differently. An attacker sends an email pretending to be from Microsoft, SharePoint, or another service your staff already trust. The email contains a short device code, just a few characters, and instructions to enter it on a real Microsoft login page. The target thinks they’re fixing a security issue. They enter the code. That’s all the attacker needs.

Why your existing defences might not catch this

When someone enters that code on the genuine Microsoft page, they’re unknowingly giving the attacker’s device access to their account. The kit captures what are called access tokens, the digital keys that prove you’re logged in, and stores them. Security researchers have confirmed this works even with multi-factor authentication (MFA) switched on. No password is stolen. No MFA prompt appears. The attacker simply has a valid, ongoing session in Outlook, Teams, and OneDrive for as long as those tokens stay active.

What makes Kali365 particularly notable is the price: $250 a month on Telegram, with AI-generated phishing templates, automated campaign tools, and real-time dashboards included. Attackers with no technical background can now run large-scale campaigns without building anything themselves. It’s a low bar to clear.

What actually stops it

The practical defences mostly live inside Microsoft 365 itself.

Conditional access policies are the strongest fix. These are rules that control when and how users can sign in. Configured correctly, they can block device code flow entirely, which removes the method Kali365 relies on. Microsoft Entra ID, the identity management layer inside Microsoft 365, supports this. You can deploy it in report-only mode first to check for any unintended impact before switching it on fully.

Phishing-resistant MFA still matters, but the type you use is important. Standard authenticator app approvals and SMS codes can still be bypassed by this attack. FIDO2 hardware keys, passkeys, or Windows Hello for Business tie the login to your physical device, which device code phishing cannot get around. If your admin accounts are using SMS for MFA, that’s the first thing to change. See also our article on password resets alone not being enough to protect your Microsoft 365 account.

Monitoring for unusual sign-ins catches attackers once they’re in. A login from an unfamiliar location, an odd time of night, or a device your team has never used before are all worth flagging automatically.

Staff awareness is the baseline. Legitimate Microsoft pages never ask users to enter a device code that arrived in an email. If a message asks someone to verify their identity by entering a code they received elsewhere, ignore it. Genuine security checks come through proper channels, not unexpected emails.

None of this is complicated in principle. But right now, with a kit actively being sold that’s built around this exact method, having the right policies in place matters more than usual.

If your Microsoft 365 setup doesn’t already include conditional access policies, phishing-resistant MFA for admin accounts, and proper sign-in monitoring, Dragon Digital handles exactly this for businesses across North Wales. A quick check of your current setup might be the most useful hour you spend this month.