FBI Microsoft 365 Alert: Kali365 Scam Explained

On 21 May 2026, the FBI published alert I-052126-PSA confirming what many security teams in Brazil already suspected: the FBI Microsoft 365 alert describes a phishing-as-a-service platform called Kali365, active since April, capable of hijacking OAuth tokens from Outlook, OneDrive and Teams without needing your password and without triggering MFA. If your company uses Microsoft 365, this post explains how the scam works and what to adjust in Entra ID this week.

TL;DR

• The FBI issued alert I-052126-PSA on 21/05/2026 about the Kali365 platform, sold on Telegram since April 2026.
• The attack uses device code phishing to capture OAuth tokens — bypassing most MFA configurations.
• Outlook, OneDrive and Teams are the target services. The attacker operates as the user until the refresh token expires.
• The main mitigation is blocking the device code flow via Conditional Access and reviewing break-glass accounts.
• Brazilian companies with Entra ID without mature policies are especially exposed — the kit already comes with AI-generated lures in Portuguese.

What the FBI alert says about Microsoft 365 and the Kali365 platform

The FBI Microsoft 365 alert published by the Internet Crime Complaint Center (IC3) is categorical: the Kali365 platform began to be observed in real campaigns in April 2026 and, in just over a month, has already hit hundreds of organisations as victims. The kit is sold as a service (PhaaS — phishing-as-a-service) on Telegram channels, with real-time dashboards, automatic AI-generated emails and per-target tracking reports.

The choice of Microsoft 365 is no coincidence. The ecosystem concentrates three products that together form the nervous system of many companies: email (Outlook), storage and collaboration (OneDrive) and internal communication (Teams). Whoever gets into one, gets into all three. And contrary to what many administrators assumed, the FBI Microsoft 365 alert makes clear that it is not just the retail side of cybercrime using it: the kit is designed to lower the barrier to entry and allow less technical operators to run entire campaigns with a few clicks.

The official communication is at ic3.gov/PSA/2026/PSA260521{target="_blank"} and references number I-052126-PSA. If you work with corporate IT or governance in Brazil, it is worth attaching this reference to your next risk report.

How Kali365 works: device code phishing in 4 steps

Unlike classic phishing — which clones login pages and tries to steal the password — Kali365 exploits a legitimate Microsoft flow called device code authentication. It is the same flow used when you log into a smart TV or console: the device shows a short code and asks you to type it into an official Microsoft page.

Step 1 — The lure arrives by email or Teams

The victim receives a convincing notification: "a financial document has been shared with you", "invitation to Q2 review meeting" or "pending compliance audit". The text is AI-generated, adapted to the target's language and context, and usually comes from a look-alike domain or a legitimate already compromised account.

Step 2 — The user enters the official Microsoft portal

Here lies the sophistication: the lure link points to microsoft.com/devicelogin — a real page, with a valid certificate, no visual anomaly. The victim is instructed to type a short code (eight digits) supposedly to "validate the document" or "join the meeting".

Step 3 — The OAuth token is captured

The typed code belongs to a session initiated by the attacker. When the victim completes the login (including passing MFA, because yes, it is the real Microsoft), Microsoft issues an access token + refresh token pair tied to the "device" controlled by the attacker. Kali365 captures this token via API.

Step 4 — Persistent access without new password

With the refresh token in hand, the attacker can generate new access tokens for days or weeks, without a new MFA challenge. It is as if they have a copy of your keys, but the lock system does not even notice — the FBI Microsoft 365 alert calls this "long-term access" and estimates the access lifespan while the refresh token is valid (up to 90 days by default in Entra ID).

Why traditional MFA does not protect you this time

Many administrators breathe a sigh of relief when they see MFA enabled for the entire tenant — and that confidence is exactly what Kali365 exploits. Traditional MFA validates that someone legitimate is authenticating; it does not validate to which device the token will be issued.

When the user enters microsoft.com/devicelogin and fulfills all factors, they approve the attacker's session without realising. There is no "fake page" to detect, no certificate error, no strange domain. Email filters based on malicious URLs also go blind, because the link is literally from Microsoft.

The only structural defence is a combination of:

• Conditional Access blocking or restricting the device code flow (the FBI's first recommendation in the PSA).
• FIDO2 keys with device binding (phishing-resistant passkeys).
• Sign-in risk policies from Entra ID Premium P2 with high-risk blocking.
• Token Protection (in preview in Entra ID), which binds the token to the source device.

For teams that still rely only on TOTP or SMS, the FBI Microsoft 365 alert is a direct warning: the security floor has risen — and those who stay below it pay dearly.

Traditional phishing vs Kali365 attack

Aspect	Traditional phishing	Kali365 (device code)
Login page	Cloned, on fake domain	Real (microsoft.com)
What is stolen	Password + second factor	OAuth token (access + refresh)
Does SMS MFA protect?	Often, yes	No
Does app/TOTP MFA protect?	Yes, mostly	No
Does FIDO2 key protect?	Yes	Yes, with token binding
Persistence time	Short (until password change)	Long (refresh token lifetime, up to 90 days)
Detection by antivirus	Medium	Practically none
Detection by URL filter	Good	Almost none (URL is legitimate)
Signal in SIEM	Login at unusual time/location	Session from unknown device

The honest reading of this table is uncomfortable: most of the defences that Brazilian companies bought in the last five years were designed against the phishing in the left column. Kali365 lives in the right column.

What the attacker can do inside Outlook, OneDrive and Teams

When the token falls into hostile hands, the damage goes far beyond "reading emails". The FBI Microsoft 365 alert lists patterns observed in real victims — and all fit within what a normal user could do, which makes detection difficult.

• Outlook: creation of inbox rules that silently forward and delete — classic for BEC (Business Email Compromise) fraud and payment diversion. The attacker monitors exchanges with suppliers and injects a fake invoice with an altered PIX at the right moment.
• OneDrive: mass download of entire libraries (contracts, financial spreadsheets, customer data), planting files with malicious macros in team-shared folders, and abusing the "Anyone with the link" sharing feature for discreet extraction.
• Teams: posting as the compromised user in internal channels, creating meetings with external guests for reconnaissance, and stealing chat data (which often contains credentials and secrets shared carelessly).

This is not theory. Public cases already show that when the attack is industrialised by a kit like Kali365, the average time between compromise and measurable financial damage is decreasing. In analogous contexts, such as the supply chain attacks on NPM, we saw similar vectors — abuse of legitimate authentication flows — causing millions in losses within hours.

How to detect Kali365 compromise in your tenant

Early detection in this scenario depends on telemetry. Traditional antivirus and antispam tools will not deliver. What works:

Entra ID Audit Log

In the entra.microsoft.com portal → Monitoring & Health → Audit logs, filter by Sign-in logs and look for:

• Recent mass Device Code Authentication events.
• Logins from devices with unknown Device ID and Compliant: No.
• Geographic locations inconsistent with the user's profile.
• Applications with offline_access permission issued outside the norm.

Suspicious inbox rules

PowerShell to scan recently created rules:

Get-Mailbox -ResultSize Unlimited | ForEach-Object {
  Get-InboxRule -Mailbox $_.Identity | Where-Object {
    $_.WhenChanged -gt (Get-Date).AddDays(-30) -and
    ($_.ForwardTo -or $_.DeleteMessage -or $_.MoveToFolder -like "*RSS*")
  }
}

Rules that forward to an external domain and delete the original are a classic red flag.

Microsoft 365 Defender and Purview

If your license allows, use Microsoft 365 Defender to hunt for sessions with RiskLevelAggregated: high or unfamiliarFeatures. Purview Audit (Premium) retains events for up to a year and allows reconstructing the incident timeline. Teams without these licenses need at least to export Entra logs to an external SIEM — we have seen Brazilian teams adopting this routine after the case of the malicious VS Code extension on GitHub.

What to do now: Conditional Access and blocking the device code flow

The FBI Microsoft 365 alert brings a very specific operational recommendation: create a Conditional Access policy that blocks the device code flow for most users, opening exceptions only for legitimate cases (authentication on keyboardless devices like kiosks and some meeting cameras).

Action plan for this week, in priority order:

1. Audit current device code flow usage. In Entra ID, filter Sign-in logs by Authentication Protocol: Device Code. List who uses it, when and why. Without this baseline, any block will break production.
2. Create a Conditional Access policy "Block Device Code Flow". Apply to "All users", exclude a group CA-Exception-DeviceCode with few auditable members, and also exclude break-glass accounts.
3. Enable grants of "Require phishing-resistant MFA" for administrative access. Passkeys and FIDO2 are the standard to aim for.
4. Shorten refresh token lifetime via Conditional Access "Sign-in frequency", forcing reauthentication every 7 days for sensitive users.
5. Activate Token Protection (preview) for critical sessions, binding the token to the device.
6. Configure alerts in Defender for Cloud Apps for creation of inbox rules with external forwarding.
7. Train users with a specific focus on the "type this code here" pattern — it is the new "click here and enter your password".

Document each policy. In an incident, your ability to prove what was enabled matters as much as the defence itself — it counts for audit, cyber insurance and LGPD.

Response plan if an account has been compromised

Assume the worst: you confirmed a suspicious sign-in via device code 12 hours ago and the user does not recognise it. Order of actions:

1. Revoke all user sessions. In Entra ID, open the profile → "Revoke sessions". This invalidates issued tokens, including refresh tokens.
2. Force password reset and reapply MFA. If MFA fatigue is suspected, register a new FIDO2 method.
3. Inspect and remove inbox rules created or changed in the last 30 days.
4. Audit application consents under "Enterprise applications" → "User settings" and revoke any unrecognised app.
5. Download the full Entra Audit Log timeline for the period. Preserve for forensics.
6. Notify potentially affected parties — customers, suppliers and, if personal data is exposed, prepare communication to the ANPD within the LGPD deadline.
7. Report to IC3 at ic3.gov with full lure headers, suspicious session IDs and any artefacts. The FBI aggregates this data to correlate global campaigns.

Mature teams already have a runbook for this. Those who do not, this is the moment — creating the document after the incident is expensive and stressful.

Conclusion: the FBI Microsoft 365 alert closes an era

The FBI Microsoft 365 alert about Kali365 marks an important point: the era of "MFA enabled equals secure company" is over. Those operating Microsoft 365 in Brazil in 2026 need to look at Conditional Access, FIDO2 and Entra ID telemetry as basic infrastructure, not a future project. This is not alarmism — it is the new floor.

If you want to review your M365 security posture or design Conditional Access policies appropriate to the size of your operation, get in touch. We work with Entra ID governance, authentication modernisation and incident response for Brazilian teams living within the Microsoft ecosystem.