Think multi-factor authentication keeps you safe? Kali365 shows why that’s no longer enough
ADVERTISEMENT
Multi-factor authentication (MFA) has long been considered one of the strongest defences against cyberattacks. If a password is stolen, an additional verification step, such as a code sent to a phone or generated by an authenticator app should keep attackers out.
But a new phishing toolkit called Kali365 is challenging that assumption.
In May, the FBI issued a public warning about Kali365, a phishing-as-a-service (PhaaS) platform that allows cybercriminals to compromise Microsoft 365 accounts without stealing passwords. Instead, attackers target authentication tokens, effectively sidestepping the protections that MFA is designed to provide. The toolkit, first observed in April 2026, is distributed primarily through Telegram and is already being used to target Microsoft 365 users.
Fortune India explains what Kali365 is, and how it works:
What exactly is Kali365?
Kali365 is a subscription-based phishing toolkit that helps cybercriminals steal Microsoft 365 access tokens. According to the FBI, Kali365 is an emerging phishing-as-a-service platform that enables attackers to obtain Microsoft 365 access tokens and bypass MFA protections without intercepting user credentials.
The FBI warned that Kali365 lowers the barrier of entry for attackers by providing AI-generated phishing lures, automated campaign templates, tracking dashboards and OAuth token capture capabilities.
In simple terms, the toolkit makes sophisticated attacks available even to relatively low-skilled cybercriminals.
How is it different from traditional phishing?
Traditional phishing attacks aim to steal usernames and passwords using fake websites. Kali365 takes a different approach. Instead of stealing credentials, it steals authentication tokens—the digital passes that keep users logged into services such as Outlook, Teams and OneDrive.
As a result, attackers do not necessarily need to know a victim’s password. The FBI says attackers can gain access by capturing OAuth tokens and obtaining persistent access to Microsoft 365 environments. This represents a broader shift in cybercrime from credential theft to session and token theft.
How does Kali365 bypass MFA?
This is where the attack becomes particularly deceptive. According to the FBI, the attacker first sends a phishing email impersonating a trusted cloud or document-sharing service. The email contains a device code and asks the victim to visit a legitimate Microsoft verification page.
The victim then logs in using Microsoft’s real authentication process and completes MFA normally. The FBI describes the process as “unknowingly authorising the attacker’s device” when the victim enters the provided code on Microsoft’s legitimate page.
The critical point is that MFA is not technically broken. The victim successfully completes MFA. However, the authentication session belongs to the attacker, who receives the resulting access token.
Why are cybersecurity experts concerned?
Researchers say Kali365 exploits something users have been trained to trust: legitimate login systems. A recent investigation by Huntress, a cybersecurity platfofm, warned that suspicious device code activity can be the front door to a much larger compromise involving token abuse, mailbox access and persistence within corporate environments.
The report also cautioned organisations not to dismiss such incidents as “a one-off phishing lure” or an “isolated sign-in anomaly.” In other words, a seemingly minor phishing event could provide attackers an entry into an organisation’s cloud environment.
Why does this matter for businesses?
Many organisations have spent years encouraging employees to use MFA as a core cybersecurity defence. Kali365 breaks through those security strategies focused solely on passwords and MFA may no longer be sufficient.
Security researchers note that the attack abuses a legitimate Microsoft authentication feature known as device-code authentication. This means users may encounter a real Microsoft webpage, a real Microsoft login prompt and a real MFA challenge while still falling victim to the attack.
For businesses, that makes employee awareness training significantly more complicated because traditional advice such as “check whether the login page is genuine” may not be enough.
What is Microsoft doing about it?
Microsoft has not issued a new public statement specifically on Kali365 following the FBI’s May warning. However, the company had already warned customers about device-code phishing attacks in an April security advisory.
Microsoft said it had observed a “widespread phishing campaign leveraging the device code authentication flow to compromise organizational accounts at scale.”
The company added, “The threat actor successfully abuses the OAuth device code authentication flow, causing the victim to authenticate the threat actor’s session and resulting in issuance of valid access and refresh tokens without password theft.”
Microsoft has stressed that device-code authentication is a legitimate feature rather than a software vulnerability. Instead of removing the feature, the company has advised organisations to restrict device-code authentication where it is not needed, monitor sign-in activity and deploy stricter access controls.
What does Kali365 tell us about the future of cyberattacks?
For organisations, the lesson is clear, MFA remains essential, but it is no longer a complete defence. Companies will need stronger monitoring of authentication activity, tighter controls around device-code logins and better visibility into token-based attacks.