FBI Warns UK Businesses: Kali365 Microsoft 365 Attack Explained

FBI issues alert on Kali365: OAuth token theft kit gives persistent access to Outlook, OneDrive and Teams without triggering MFA. UK firms urged to act now.

by Cleverson Gouvêa

FBI Warns UK Businesses: Kali365 Microsoft 365 Attack Explained

On 21 May 2026, the FBI published alert I-052126-PSA confirming what many UK security teams suspected: the FBI Microsoft 365 alert describes a phishing-as-a-service platform called Kali365, active since April, capable of hijacking OAuth tokens from Outlook, OneDrive and Teams without needing your password and without triggering MFA. If your organisation uses Microsoft 365, this post explains how the scam works and what to adjust in Entra ID this week.

TL;DR

  • The FBI issued alert I-052126-PSA on 21/05/2026 regarding the Kali365 platform, sold on Telegram since April 2026.
  • The attack uses device code phishing to capture OAuth tokens — bypassing most MFA configurations.
  • Outlook, OneDrive and Teams are the target services. The attacker operates as the user until the refresh token expires.
  • The primary mitigation is to block the device code flow via Conditional Access and review break-glass accounts.
  • UK organisations with Entra ID without mature policies are especially exposed — the kit already comes with AI-generated lures in English tailored to UK contexts.

What the FBI alert says about Microsoft 365 and the Kali365 platform

The FBI Microsoft 365 alert published by the Internet Crime Complaint Center (IC3) is unequivocal: the Kali365 platform was first observed in real campaigns in April 2026 and, in just over a month, has already hit hundreds of organisations as victims. The kit is sold as a service (PhaaS — phishing-as-a-service) on Telegram channels, with real-time dashboards, AI-powered automatic email generation and per-target tracking reports.

The choice of Microsoft 365 is no accident. The ecosystem concentrates three products that together form the nervous system of many businesses: email (Outlook), storage and collaboration (OneDrive) and internal communication (Teams). Whoever gets into one, gets into all three. And contrary to what many administrators assumed, the FBI Microsoft 365 alert makes clear that it is not just cybercriminal retailers using it: the kit is designed to lower the barrier to entry and allow less technical operators to run entire campaigns with just a few clicks.

The official notice is at ic3.gov/PSA/2026/PSA260521{target="_blank"} and references number I-052126-PSA. If you work in corporate IT or governance in the UK, it is worth attaching this reference to your next risk report.

How Kali365 works: device code phishing in 4 steps

Unlike classic phishing — which clones login pages and tries to steal passwords — Kali365 exploits a legitimate Microsoft flow called device code authentication. It is the same flow used when you log in to a smart TV or console: the device shows a short code and asks you to type it into an official Microsoft page.

Step 1 — The lure arrives by email or Teams

The victim receives a convincing notification: "a financial document has been shared with you", "invitation to Q2 review meeting" or "pending compliance audit". The text is AI-generated, adapted to the language and context of the target, and usually comes from a look-alike domain or a previously compromised legitimate account.

Step 2 — The user enters the official Microsoft portal

Here lies the sophistication: the lure link points to microsoft.com/devicelogin — a real page, with a valid certificate, no visual anomalies. The victim is instructed to type a short code (eight digits) supposedly to "validate the document" or "join the meeting".

Step 3 — The OAuth token is captured

The typed code belongs to a session initiated by the attacker. When the victim completes the login (including passing MFA, because yes, it is the real Microsoft), Microsoft issues an access token + refresh token pair bound to the "device" controlled by the attacker. Kali365 captures this token via API.

Step 4 — Persistent access without a new password

With the refresh token in hand, the attacker can generate new access tokens for days or weeks without a new MFA challenge. It is as if they have a copy of your keys, but the lock system does not even notice — the FBI Microsoft 365 alert calls this "long-term access" and estimates the access lifespan as long as the refresh token is valid (up to 90 days by default in Entra ID).

Why traditional MFA does not protect you this time

Many administrators breathe a sigh of relief when they see MFA enabled for the entire tenant — and that confidence is exactly what Kali365 exploits. Traditional MFA validates that someone legitimate is authenticating; it does not validate to which device the token will be issued.

When the user enters microsoft.com/devicelogin and completes all factors, they approve the attacker's session without realising. There is no "fake page" to detect, no certificate error, no strange domain. Email filters based on malicious URLs also go blind because the link is literally from Microsoft.

The only structural defence is a combination of:

  • Conditional Access blocking or restricting the device code flow (the FBI's first recommendation in the PSA).
  • FIDO2 keys with device binding (phishing-resistant passkeys).
  • Sign-in risk policies from Entra ID Premium P2 with blocking on high risk.
  • Token Protection (in preview in Entra ID), which binds the token to the source device.

For teams that still rely only on TOTP or SMS, the FBI Microsoft 365 alert is a direct warning: the security floor has risen — and those who stay below it will pay dearly.

Traditional phishing vs Kali365 attack

Aspect Traditional phishing Kali365 (device code)
Login page Cloned, on fake domain Real (microsoft.com)
What is stolen Password + second factor OAuth token (access + refresh)
Does SMS MFA protect? Often, yes No
Does app/TOTP MFA protect? Yes, mostly No
Does FIDO2 key protect? Yes Yes, with token binding
Persistence time Short (until password change) Long (refresh token lifetime, up to 90 days)
Detection by antivirus Medium Practically zero
Detection by URL filter Good Almost zero (URL is legitimate)
Signal in SIEM Login at unusual time/location Session from unknown device

The honest reading of this table is uncomfortable: most of the defences that UK companies have bought in the last five years were designed against the phishing in the left column. Kali365 lives in the right column.

What the attacker can do inside Outlook, OneDrive and Teams

When the token falls into hostile hands, the damage goes far beyond "reading emails". The FBI Microsoft 365 alert lists patterns observed in real victims — and all fit within what a normal user could do, which hinders detection.

  • Outlook: creation of inbox rules that silently forward and delete — classic for BEC (Business Email Compromise) fraud and invoice diversion. The attacker monitors communications with suppliers and injects a fake invoice with altered payment details at the right moment.
  • OneDrive: mass download of entire libraries (contracts, financial spreadsheets, customer data), planting files with malicious macros in shared team folders, and abusing the "Anyone with the link" sharing feature for discreet exfiltration.
  • Teams: posting as the compromised user in internal channels, creating meetings with external guests for reconnaissance, and stealing chat data (which often contains credentials and secrets shared carelessly).

This is not theory. Public cases have already shown that when the attack is industrialised by a kit like Kali365, the average time between compromise and measurable financial damage is decreasing. In analogous contexts, such as the supply chain attacks on NPM, we saw similar vectors — abuse of legitimate authentication flows — causing millions in losses within hours.

How to detect Kali365 compromise in your tenant

Early detection in this scenario depends on telemetry. Traditional antivirus and antispam tools will not deliver. What works:

Entra ID Audit Log

In the entra.microsoft.com portal → Monitoring & Health → Audit logs, filter by Sign-in logs and look for:

  • Recent Device Code Authentication events in bulk.
  • Logins from devices with unknown Device ID and Compliant: No.
  • Geographic locations inconsistent with the employee's profile.
  • Applications with offline_access permission issued outside the norm.

Suspicious inbox rules

PowerShell to scan recently created rules:

Get-Mailbox -ResultSize Unlimited | ForEach-Object {
  Get-InboxRule -Mailbox $_.Identity | Where-Object {
    $_.WhenChanged -gt (Get-Date).AddDays(-30) -and
    ($_.ForwardTo -or $_.DeleteMessage -or $_.MoveToFolder -like "*RSS*")
  }
}

Rules that forward to an external domain and delete the original are a classic red flag.

Microsoft 365 Defender and Purview

If your licence allows, use Microsoft 365 Defender to hunt for sessions with RiskLevelAggregated: high or unfamiliarFeatures. Purview Audit (Premium) retains events for up to a year and allows you to reconstruct the incident timeline. Teams without these licences need at least to export Entra logs to an external SIEM — we have seen UK teams adopting this routine after the malicious VS Code extension on GitHub case.

What to do now: Conditional Access and blocking the device code flow

The FBI Microsoft 365 alert brings a very specific operational recommendation: create a Conditional Access policy that blocks the device code flow for most users, opening an exception only for legitimate cases (authentication on keyboardless devices like kiosks and some meeting cameras).

Action plan for this week, in priority order:

  1. Audit current device code flow usage. In Entra ID, filter Sign-in logs by Authentication Protocol: Device Code. List who uses it, when and why. Without this baseline, any blocking will break production.
  2. Create a Conditional Access policy "Block Device Code Flow". Apply to "All users", exclude a group CA-Exception-DeviceCode with few auditable members, and also exclude break-glass accounts.
  3. Enable "Require phishing-resistant MFA" grants for administrative access. Passkeys and FIDO2 are the standard to aim for.
  4. Shorten the refresh token lifetime via Conditional Access "Sign-in frequency", forcing reauthentication every 7 days for sensitive users.
  5. Activate Token Protection (preview) for critical sessions, binding the token to the device.
  6. Configure alerts in Defender for Cloud Apps for creation of inbox rules with external forwarding.
  7. Train users with a specific focus on the "type this code here" pattern — it is the new "click here and type your password".

Document each policy. In an incident, your ability to prove what was enabled matters as much as the defence itself — it counts for audit, cyber insurance and UK GDPR compliance.

Response plan if an account has been compromised

Assume the worst: you confirmed a suspicious sign-in via device code 12 hours ago and the user does not recognise it. Order of actions:

  1. Revoke all user sessions. In Entra ID, open the profile → "Revoke sessions". This invalidates issued tokens, including refresh tokens.
  2. Force password reset and reapply MFA. If MFA fatigue is suspected, register a new FIDO2 method.
  3. Inspect and remove inbox rules created or changed in the last 30 days.
  4. Audit application consents in "Enterprise applications" → "User settings" and revoke any unrecognised app.
  5. Download the full Entra Audit Log timeline for the period. Preserve for forensics.
  6. Notify potentially affected parties — customers, suppliers and, if personal data is exposed, prepare communication to the ICO within the UK GDPR timeframe.
  7. Report to IC3 at ic3.gov with full headers of the lure, suspicious session IDs and any artefacts. The FBI aggregates this data to correlate global campaigns.

Mature teams already have a runbook for this. Those who do not, this is the moment — creating the document after an incident is expensive and stressful.

Conclusion: the FBI Microsoft 365 alert closes an era

The FBI Microsoft 365 alert about Kali365 marks an important point: the era of "MFA enabled equals secure company" is over. Anyone operating Microsoft 365 in the UK in 2026 needs to look at Conditional Access, FIDO2 and Entra ID telemetry as basic infrastructure, not a future project. This is not alarmism — it is the new floor.

If you want to review your M365 security posture or design Conditional Access policies appropriate to the size of your operation, get in touch. We work with Entra ID governance, authentication modernisation and incident response for UK teams living inside the Microsoft ecosystem.