Password plus two-factor isn’t enough: what to do about Kali365

The FBI’s Internet Crime Complaint Centre has issued a warning about a phishing kit called Kali365, circulating on Telegram since April 2026. It bypasses password and two-factor authentication on Microsoft 365 accounts without ever needing to steal either one.

Here’s how it works. You receive a phishing email that looks like it’s from a cloud service you trust, Microsoft or Outlook, say. The email asks you to visit a real Microsoft login page (microsoft.com/devicelogin) and enter a code they’ve provided. The page is legitimate, the code is legitimate, your password manager recognises it. Everything looks fine. But when you enter that code and complete your usual two-factor challenge, you’re not logging yourself in. You’re authorising an attacker’s device to access your account. Microsoft then hands the attacker an OAuth token, a digital key that says “you’re logged in”, giving them full access to your Outlook inbox, Teams, OneDrive, and anything else in your Microsoft 365 environment. No password needed. No further prompts.

The FBI’s advisory notes that Kali365 is a subscription service, reportedly from $250 a month, bundling AI-generated phishing emails, automated campaign templates, and token-capture tools into a single package. Security researchers documented hundreds of attacks across North America and Europe in April alone.

Why two-factor alone doesn’t cut it here

Two-factor authentication is still essential, and most businesses should have it turned on. But Kali365 doesn’t break two-factor, it uses a legitimate Microsoft feature called device code authentication in a way you never intended. The attacker tricks you into completing the security check on their behalf.

The FBI and Microsoft have both published clear guidance on defending against it, and the fixes are straightforward.

What to do this week

Block device code authentication if you don’t use it. This feature is designed for conference-room screens, shared kiosks, and smart TVs, devices with no keyboard. Most small businesses don’t use it at all. If that’s you, turn it off. It’s a single configuration change in Microsoft Entra ID (the part of Microsoft 365 that controls who can log in and how), and it removes this attack entirely. No user complaints, no disruption.

If you do use it for a specific meeting-room device, narrow the setting to allow it only for that device.

Move your most important accounts to stronger authentication. Standard two-factor (a one-time code sent to your phone) is still vulnerable to social engineering. For admin accounts, finance staff, and anyone handling sensitive client data, consider FIDO2 security keys (a small physical device that plugs into a USB port) or Windows Hello (the fingerprint or face-unlock on modern laptops). These are immune to this type of attack because there’s nothing for the attacker to trick you into handing over. For more on why standard MFA has limits, see our earlier piece on why MFA doesn’t stop every type of attack.

Check your sign-in logs. If someone has been in your account, they often create hidden inbox rules to bury Microsoft’s security alerts so you won’t see the warning. The reliable way to spot it is to check the sign-in audit logs in the Microsoft 365 admin centre and look for logins from unfamiliar locations or devices. Our guide on hidden email forwarding rules covers what to look for while you’re in there.

Who needs to take this seriously

Large enterprises are targets, yes, but a small business with a compromised inbox is worth money on the criminal market too. If you handle card payments, legal client files, or employee payroll data, a single account takeover can lead somewhere expensive.

Kali365 makes attacks cheaper and more scalable, which means more of them, aimed more broadly. Getting the configuration right now is considerably easier than dealing with the fallout later. Dragon Digital manages Microsoft 365 security for local businesses across North Wales, including conditional access policy setup and sign-in monitoring, worth a quick conversation to check whether device code blocking and stronger MFA are already in place for the accounts that matter most.