The FBI recently issued a public warning about a sophisticated phishing platform known as Kali365, which is being used to compromise Microsoft 365 accounts while bypassing traditional multi-factor authentication (MFA) protections.
According to the FBI’s official advisory, cybercriminals are increasingly using device code phishing attacks to gain unauthorized access to business accounts without stealing passwords directly. You can read the full FBI alert here:
https://www.ic3.gov/PSA/2026/PSA260521
For organizations that rely on Microsoft 365 for email, collaboration, file sharing, and day-to-day operations, this threat highlights the growing need for layered cybersecurity protections and proactive monitoring.
What Is Kali365?
Kali365 is a phishing-as-a-service platform that allows attackers to gain access to Microsoft 365 accounts by abusing legitimate Microsoft authentication workflows.
Unlike traditional phishing scams that direct users to fake login pages, Kali365 leverages a technique known as device code phishing. Victims are tricked into completing authentication through Microsoft’s legitimate sign-in process, making the attack appear trustworthy and much harder to detect.
Because users are interacting with real Microsoft services, many traditional phishing warning signs are absent.
How the Attack Works
A typical Kali365 attack follows these steps:
A victim receives an email, text message, or chat request.
The message prompts them to enter a device authentication code.
The user completes authentication through Microsoft’s legitimate login page.
The attacker receives an authentication token that grants access to the victim’s account.
The attacker maintains access without needing the user’s password.
This technique effectively bypasses many traditional MFA protections because the victim unknowingly authorizes the attacker themselves.
Why This Matters for Businesses
Microsoft 365 accounts often contain critical business information, including:
Company email communications
Customer and employee data
Financial records
Shared cloud storage
Internal documents
Administrative access to connected systems
A successful compromise can lead to:
Business Email Compromise (BEC)
Financial fraud
Data theft
Ransomware attacks
Unauthorized account access
Regulatory compliance issues
As phishing attacks become more advanced, businesses need more than antivirus software and basic MFA to stay protected.
Signs of a Device Code Phishing Attack
Employees should be cautious when they receive:
Unexpected requests to authenticate with a code
Login requests they did not initiate
Urgent messages requesting immediate sign-in
Authentication prompts from unfamiliar contacts
Requests to approve Microsoft access unexpectedly
When in doubt, employees should verify the request through a separate communication method before taking action.
How Businesses Can Protect Themselves
Review Microsoft 365 Security Settings
Organizations should regularly review:
Conditional Access policies
MFA configurations
Device management controls
Sign-in risk policies
Application permissions
Proper configuration can significantly reduce the effectiveness of device code phishing attacks.
Invest in Cybersecurity Awareness Training
Many successful attacks still rely on human interaction. Regular employee security training helps users recognize suspicious requests before they become security incidents.
Monitor for Suspicious Activity
Businesses should monitor for:
Unusual login locations
Impossible travel events
Unexpected device registrations
New application authorizations
Suspicious mailbox forwarding rules
Continuous monitoring helps identify threats before they cause significant damage.
Implement Layered Cybersecurity Protection
Modern threats require multiple layers of defense. Security monitoring, endpoint protection, email security, threat detection, and proactive support all play a role in reducing risk.
Learn more about AIM IT Services’ cybersecurity solutions:
Cybersecurity Is No Longer Optional
The FBI’s Kali365 warning is another reminder that cybercriminals continue to evolve their tactics. Businesses can no longer rely solely on passwords and traditional MFA to protect sensitive information.
Organizations that use Microsoft 365 should take this opportunity to review their security posture, educate employees, and implement additional safeguards against modern phishing attacks.
At AIM IT Services, we help businesses strengthen Microsoft 365 security, reduce cyber risk, and proactively defend against emerging threats through our comprehensive cybersecurity services.
If you’d like to evaluate your current security posture or discuss ways to better protect your business, visit our Cybersecurity Services page