HomeSubject Matter AreasCybersecurity
CybersecurityCybersecurity and Infrastructure Security AgencyFBI

FBI Warns Phishing Kit is Bypassing Microsoft Multi-Factor Authentication Through OAuth Token Hijacking

Homeland Security Today
By Homeland Security Today
May 26, 2026
(FBI photo)

The Federal Bureau of Investigation (FBI) has issued a Public Service Announcement (PSA) to warn the public about an emerging Phishing-as-a-Service (PhaaS) platform called Kali365, first seen in April 2026. Kali365 has primarily been distributed via Telegram, enabling cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting the user’s credentials.

Through the Kali365 platform subscription, cyber threat actors can capture “OAuth” tokens and gain persistent access to targeted individuals/entities’ Microsoft 365 environments. Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities.

How the Scam Works

  1. Lure: An attacker sends a phishing email impersonating trusted cloud productivity and document-sharing services. This phishing email contains a device code with instructions to visit a legitimate Microsoft verification page and enter the code.
  2. Authorization: The targeted individuals/entities navigate to the real Microsoft page and pastes in the device code, unknowingly authorizing the attacker’s device to access their account.
  3. Token Theft: The attacker captures OAuth access and refresh tokens, granting them access to the targeted individuals/entities’ Microsoft 365 account.
  4. Persistence: The attacker can now access Microsoft 365 services such as Outlook, Teams, and OneDrive without needing a password or completing any additional MFA challenges.

Tips to Protect Yourself

Restricting device code flow to limit or block device authentication codes can help prevent or limit this style of attack.

  • Create a conditional access policy to block device code flow for all users, with limited exceptions for required business processes.
  • Audit existing device code flow usage to identify legitimate dependencies before creating a conditional access policy.
  • Block authentication transfer policies to prevent users from transferring authentication from computers to mobile devices.
  • If you cannot completely restrict device code flow usage, exclude emergency access accounts to prevent lockouts.

The original announcement can be found here.

Previous article
Microsoft Dismantles Fox Tempest Cybercrime Platform Linked to Hospital and School Ransomware Attacks
Next article
President Trump Approves Orange County Emergency Declaration

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Related Articles

Latest Articles

Load more