The FBI is issuing a critical warning about a sophisticated phishing platform called Kali365. This service, sold to criminals, targets Microsoft 365 accounts, including Outlook, Teams, and OneDrive.
The threat is particularly dangerous because it can bypass traditional security. Kali365 exploits Microsoft's device-code login process. A victim receives a phishing email that appears to come from a trusted service, providing a code and a link to a legitimate Microsoft verification page.
Once the victim enters the code on that real page, they unknowingly authorize the attacker's device. The criminal then captures OAuth tokens, gaining access to the account without ever needing the password. This can defeat multifactor authentication.
The FBI first observed Kali365 in April 2026. The platform is primarily distributed through Telegram and provides attackers with AI-generated phishing messages, automated campaign templates, and token-capture tools.
This poses a severe risk for small businesses. A single compromised account can give a criminal a believable voice to send fraudulent invoices, request sensitive data, or impersonate leadership.

Users should watch for red flags: unexpected device-code requests, urgent messages, and context that doesn't match their activity. The primary defense is to never enter a code unless you personally initiated the sign-in.
Microsoft advises following the FBI's guidance and its own security best practices. The company's Digital Crimes Unit has recently disrupted similar phishing ecosystems, including Fake ONNX and RaccoonO365.
Experts recommend several protective steps: always navigate directly to Microsoft.com instead of using links from emails, regularly review account activity for unfamiliar sessions, and revoke access if a code was entered in error. Businesses should consider training employees on this specific threat and auditing their use of device-code flow.
If compromised, users should immediately sign out of all sessions, change passwords, and report the incident to the FBI's Internet Crime Complaint Center at IC3.gov.