FBI Warns Kali365 Can Bypass Microsoft 365 MFA Using OAuth Tokens

The FBI is warning organizations about Kali365, a phishing-as-a-service platform that hijacks Microsoft 365 accounts by abusing OAuth device code authentication, as Bleeping Computer writes. The platform reportedly bypasses MFA protections by stealing authenticated session tokens instead of passwords.

According to the report, Kali365 first appeared in April 2026 and is actively promoted through Telegram cybercrime channels. The service lowers the barrier for cybercriminals by offering ready-made phishing infrastructure and automated attack tools.

Kali365 Uses Microsoft Device Login Flow Against Victims

The attacks rely on Microsoft’s legitimate device authorization process. Attackers initiate the device login flow, which generates a short authentication code from Microsoft’s servers.

Victims then receive phishing emails instructing them to enter the code at Microsoft’s official device login page. After the victim signs in and completes MFA, Microsoft issues an OAuth access token directly to the attacker.

Because the process uses Microsoft’s real authentication systems, attackers never need to steal passwords or one-time MFA codes.

OAuth Token Theft Lets Attackers Bypass MFA

Once attackers obtain the OAuth token, they can access the victim’s Microsoft 365 environment immediately. This may include Outlook mailboxes, OneDrive files, Teams data, and connected SaaS applications tied through single sign-on integrations.

Researchers say attackers also created malicious inbox rules to hide suspicious activity and, in some incidents, registered unauthorized devices inside compromised Microsoft environments.

The FBI warns that attackers can maintain persistent access even after victims change their passwords if token sessions remain active.

Kali365 Targets Low-Skilled Cybercriminals

Kali365 follows the growing phishing-as-a-service business model. Platform administrators handle development while affiliates launch phishing campaigns using prebuilt tools.

The service reportedly includes:

• AI-generated phishing lures
• Automated phishing templates
• Victim management dashboards
• Token-capture tools
• Session hijacking features

Kali365 also supports an adversary-in-the-middle mode known as “Cookie Link.” This feature captures authenticated browser sessions, cookies, and login tokens after victims complete MFA verification.

FBI Recommends Blocking Device Code Authentication

The FBI advises organizations to restrict or fully block device code authentication where possible through Conditional Access policies.

Security teams should also:

• Audit existing device code usage
• Monitor suspicious device registrations
• Block authentication transfer policies
• Preserve phishing emails and login logs for investigations
• Report incidents to the FBI Internet Crime Complaint Center

MFA Bypass Attacks Continue to Grow

This is not the first large-scale attack designed to bypass MFA protections. Threat groups previously used platforms like Tycoon2FA to steal authenticated sessions through adversary-in-the-middle phishing techniques.

Researchers also recently warned about malware such as CloudZ RAT, which abuses Microsoft Phone Link to intercept one-time passwords and authentication messages.

Google researchers additionally demonstrated AI-assisted phishing methods capable of helping attackers bypass traditional 2FA protections more efficiently.