The FBI is warning organizations about a new phishing-as-a-service platform, Kali365, that is actively targeting Microsoft 365 users. Though the warning was issued in May, it remains an active, high-severity threat.

Unlike traditional phishing, this attack does not steal passwords or MFA codes. Instead, it tricks users into entering a device code on a legitimate Microsoft page, thereby granting attackers access to their accounts. From there, attackers can read emails, access files, and use Teams or OneDrive without further authentication. 

Just Because It Looks Legitimate Doesn’t Mean It Is 

The platform, which emerged in 2026, allows cybercriminals to launch sophisticated phishing campaigns with relatively little technical expertise. According to the FBI, attackers send emails that appear to come from trusted document-sharing, cloud storage, or collaboration services. Victims are directed to a legitimate Microsoft login page and asked to enter a device code provided in the message. 

Because the login page is genuine and users can successfully complete MFA, many assume the request is legitimate. However, entering the device code can authorize an attacker-controlled session, granting cybercriminals access to Microsoft 365 resources without requiring the user’s password. 

Stay Alert: Recognizing Device-Code Phishing 

“Staying cautious with unexpected login or verification requests is critical to protecting organizational systems and data,” said Jo Bradley, PrivaPlan Cybersecurity Coordinator and Senior Analyst. She has these recommendations for what email recipients should look out for and what to do next. 

What to Watch For 

• Emails asking you to enter a “device code” on a Microsoft site 
• Messages impersonating document-sharing or cloud services 
• Unexpected requests to verify or link your account 

What to Do 

• Do not enter device codes from unsolicited emails 
• Report suspicious messages immediately to IT/security 
• When in doubt, verify requests through a trusted channel 

Why Kali365 Is Different 

Most phishing attacks rely on fake login pages that capture usernames and passwords. Kali365 takes a different approach by exploiting a legitimate Microsoft authentication workflow. 

Once a victim authorizes the request, attackers can obtain access and refresh tokens that allow them to maintain access to the account. In many cases, this access persists even if the user changes their password unless the organization’s security team revokes active sessions and tokens. 

This approach makes the attack particularly dangerous because it bypasses many of the warning signs employees have been trained to recognize. 

Potential Risks to Organizations 

A successful compromise can provide attackers with access to: 

• Outlook email accounts 
• OneDrive files 
• Microsoft Teams conversations 
• SharePoint documents 
• Internal communications and business records 

For healthcare organizations, this could include access to sensitive patient information, financial data, employee records, and other protected information stored in Microsoft 365 environments. 

Attackers may also use compromised accounts to launch business email compromise schemes, distribute additional phishing messages, or move deeper into an organization’s network. 

Organizations should review Microsoft 365 security settings, monitor for unusual OAuth and device-code activity, and regularly review sign-in logs for unfamiliar device registrations or application consent requests. Additionally, security awareness training should include device-code phishing scenarios and ensure employees understand that even a legitimate Microsoft login page can be part of a malicious attack if the request itself is not verified.