FBI Warns of Phishing Scam That Bypasses Microsoft 365 MFA

Key Takeaways

• Kali365 phishing attacks use legitimate Microsoft login pages to bypass MFA
• Attackers gain persistent access to OneDrive, Outlook, and connected apps like Salesforce
• Eight specific email subject line templates are being used in these attacks

The FBI has issued a warning about a phishing campaign that can steal Microsoft 365 accounts even when multi-factor authentication is enabled. The attack uses legitimate Microsoft login pages, making it nearly impossible to spot.

The scam relies on Kali365, a phishing-as-a-service platform that exploits a real Microsoft feature called device code authentication. This feature was designed to let devices with limited input, like smart TVs and streaming boxes, authenticate to Microsoft services. Attackers have turned it into a weapon.

How the Attack Works

Here's what happens: An attacker starts the device code authentication process on their end, which generates a short authorization code. They then send phishing emails or use social engineering to convince victims to enter that code on Microsoft's real login page. Once the victim completes the login, Microsoft issues an OAuth access token to the attacker's device.

The victim never enters their password anywhere suspicious. They're logging into the actual Microsoft website. But by entering the attacker's device code, they've just authorized the attacker's machine to access their account.

Security researchers at Arctic Wolf documented the campaign in April 2026. According to their analysis, reported PhaaS attacks targeting Microsoft enterprise clients increased 150% in Q1 2026.

“This represents a sophisticated evolution in social engineering, shifting the burden of security from the password to the user's implicit trust in the official Microsoft login flow.”

— Dr. Aris Thorne, Lead Cybersecurity Researcher at Sentinel Systems

What Attackers Can Access

Once inside, attackers can access everything tied to the Microsoft 365 account. That includes OneDrive files, Outlook emails, and third-party apps connected through Microsoft's single sign-on, like Salesforce. They can also register new devices to maintain access and create custom mailbox rules to hide their activity.

Some attackers are also using browser cookies to route victims through infrastructure they control while forwarding requests to the real Microsoft login page. You won't see any obvious signs of trouble. The URL looks right. The certificate is valid. Everything appears normal.

Why Kali365 Is Dangerous

Part of what makes Kali365 particularly concerning is its accessibility. According to both Arctic Wolf and the FBI, the platform makes it simple to create AI-generated phishing lures, email templates, and victim tracking systems. Even attackers without deep technical skills can run effective campaigns.

Most people using Kali365 are sharing it through secure Telegram chats, the FBI and Arctic Wolf report. The platform's low barrier to entry means more attackers can deploy these sophisticated attacks at scale.

Email Subject Lines to Watch For

The current Kali365 campaigns use eight fixed email templates that are only partially customized. Arctic Wolf identified these subject line patterns:

• SharePoint – Document Shared: {sender_name} shared a file with you
• OneDrive – File Shared: {sender_name} shared "Document" with you
• Teams – New Message: {sender_name} sent a message in [[company]]
• Microsoft 365 – Voicemail: Voicemail from {sender_name} – [[date]]
• DocuSign – Signature Required: {sender_name} requested your signature
• Invoice Notification: Invoice #INV-[[date]] for [[company]]
• Adobe-related sharing notifications

If you receive an email with one of these subject lines asking you to enter a code on a Microsoft page, stop. Verify the request through a separate channel before taking any action.

IT Community Response

Discussion on r/cybersecurity and Hacker News shows frustration among IT professionals over Microsoft's implementation of device code flows. Many are debating whether the feature should be disabled by default for non-developer tenants. Users are sharing scripts to audit Microsoft Entra ID (formerly Azure AD) logs for signs of unauthorized device code usage.

How to Protect Your Organization

For IT administrators, consider reviewing whether device code authentication is necessary for your tenant. If it's not being used for legitimate purposes like smart TV apps or IoT devices, disabling it removes this attack vector entirely.

For individual users, the FBI's advice is straightforward: be suspicious of any email asking you to enter a code on a Microsoft login page. Legitimate Microsoft services rarely require device code authentication for standard desktop or mobile use. If you're unsure, contact your IT department directly rather than following email instructions.

Frequently Asked Questions

Can Kali365 bypass multi-factor authentication?

Yes. Because victims enter the device code on Microsoft's legitimate login page and complete MFA themselves, the attacker receives a valid OAuth token without ever needing to bypass MFA directly.

What is device code authentication?

It's a Microsoft feature designed for devices with limited input capabilities, like smart TVs. Users enter a short code on a separate device to authenticate. Kali365 exploits this by tricking users into entering attacker-generated codes.

How do I know if my Microsoft 365 account has been compromised?

Check your Microsoft 365 sign-in history for unfamiliar devices or locations. IT administrators can audit Microsoft Entra ID logs for suspicious device code authentication events.

Should organizations disable device code authentication?

If your organization doesn't use smart TVs or IoT devices that require device code authentication, disabling the feature eliminates this attack vector. Consult your IT security team to evaluate whether it's needed.

Source: How-To Geek