Kali365: the $250/month phishing tool that bypasses Microsoft multi-factor authentication

The FBI sounds the alarm

On May 21, 2026, the FBI issued an official alert (PSA260521) through the Internet Crime Complaint Center (IC3) regarding a new phishing tool called Kali365. This kit, sold for $250 per month on Telegram, allows cybercriminals — even those with no technical skills — to hijack Microsoft 365 accounts by bypassing multi-factor authentication.

This is not a theoretical threat: hundreds of organizations have already been compromised since April 2026, primarily in finance, accounting, healthcare, education, and the public sector.

How does Kali365 work?

Token theft, not password theft

Unlike classic phishing attacks that aim to steal your password, Kali365 uses a far more sophisticated technique: it directly steals your OAuth tokens — the session tokens Microsoft uses to "remember" that you're logged in.

In practice, once a token is stolen, the attacker can access your Outlook, Teams, OneDrive, and SharePoint without ever needing your password or MFA code. And they can do so indefinitely, as long as the token is not revoked.

Two attack methods

Kali365 offers two distinct techniques:

1. "Device Code Phishing"

The attacker sends you an email asking you to enter a code on a legitimate Microsoft page (microsoft.com/devicelogin). The page is genuine, the process looks normal. You complete the MFA yourself — except you're actually authenticating the attacker's device, not your own.

This is what makes this attack so dangerous: you never see a fake website. Everything happens on real Microsoft servers.

2. "Cookie Link" (Adversary-in-the-Middle)

The second technique routes your login through a server controlled by the attacker. You sign in normally, enter your MFA code, and the intermediary server captures your session cookies and tokens in real time.

What Kali365 includes for $250/month

The kit is sold like a genuine commercial service, complete with:

• AI-generated phishing emails — personalized and convincing
• Automated campaign templates — ready to deploy
• Real-time tracking dashboard — to see who clicks and who logs in
• Automatic OAuth token capture — no technical intervention required
• Technical support via Telegram

This is Phishing-as-a-Service (PhaaS) — the criminal equivalent of a SaaS subscription.

Why multi-factor authentication is no longer enough

Classic MFA is bypassed

Whether you use an SMS code, an authenticator app (Google Authenticator, Microsoft Authenticator), or even a push notification, Kali365 bypasses them all. Why? Because you are the one completing the authentication — the attacker doesn't need your code.

MFA protects against password theft. But when an attack captures the result of your authentication (the token), MFA becomes useless.

The only MFA protections that hold up

Only phishing-resistant authentication methods can block Kali365:

• FIDO2 keys (YubiKey, Google Titan) — they verify that you're on the real Microsoft site
• Passkeys (Windows Hello, Touch ID) — tied to your physical device
• Conditional Access — which blocks connections from unrecognized devices or locations

Who is targeted?

Most affected sectors

According to the FBI alert, the most targeted organizations are:

• Finance and accounting — access to banking and financial data
• Healthcare — medical records and sensitive data
• Education — universities and schools with thousands of accounts
• Public sector — government agencies and local authorities
• SMBs — often without a dedicated IT team

Africa is not spared

If your organization uses Microsoft 365 (Outlook, Teams, OneDrive), you are a potential target — whether you're in Dakar, Abidjan, or Casablanca. Kali365 phishing campaigns are automated and large-scale — they don't target any specific country, but everyone.

How to protect yourself: immediate action plan

For individual users

1. NEVER click on a login link received by email

Even if the email appears to come from Microsoft, your company, or your IT department. Always type login.microsoftonline.com manually into your browser.

2. Be wary of unsolicited "device codes"

If someone asks you to enter a code on microsoft.com/devicelogin and you did not initiate this request, it's an attack. Do not proceed.

3. Regularly check your active sessions

Go to myaccount.microsoft.com → Recent sign-in activity. If you see connections from unknown devices or locations, revoke them immediately.

4. Red alert: unsolicited MFA code

If you receive a Microsoft verification code or a push notification without having tried to sign in, someone is attempting to access your account. Do not approve it, and change your password immediately.

For IT administrators and organizations

5. Disable "Device Code Flow"

If your organization doesn't use this feature, disable it in Azure AD via Conditional Access policies. This is Kali365's primary attack vector.

6. Enable Conditional Access

Configure rules that:

• Block connections from non-compliant devices
• Require known network locations for certain operations
• Force re-authentication for sensitive actions
• Detect risky sign-ins (unusual behavior)

7. Switch to FIDO2 keys or passkeys

This is the only MFA method that resists Kali365 and adversary-in-the-middle attacks. Microsoft, Google, and Apple all support passkeys in 2026.

8. Monitor OAuth tokens

Use Azure AD audit logs to detect suspicious token creation. Set up automated alerts for unusual sign-ins.

9. Train your teams

Your employees need to know that:

• An email containing a Microsoft login link is suspicious by default
• An unsolicited "device code" is an active attack
• Multi-factor authentication is not foolproof

What to do if you think you've been compromised

1. Immediately revoke all tokens — in Azure AD, force a revocation of all sessions for the affected user
2. Change the password of the compromised account
3. Check email forwarding rules — attackers often add rules that redirect your emails to their address
4. Audit recent activity — check which OneDrive/SharePoint files were accessed or downloaded
5. Report the incident — to the FBI (ic3.gov) if you're in the US, or to your national cybersecurity authority

What this alert tells us

Kali365 marks a turning point in the cyberthreat landscape:

• Phishing is becoming a turnkey service accessible to anyone for $250/month
• Classic multi-factor authentication (SMS, apps) is no longer enough
• Attacks leverage legitimate Microsoft pages, making them nearly undetectable
• AI generates increasingly convincing phishing emails

Cybersecurity is no longer just a technology question — it's a question of human vigilance. A single click can compromise an entire organization.

Conclusion

Kali365 is proof that cybercriminals innovate faster than traditional defenses. But countermeasures exist: Conditional Access, FIDO2 keys, team training, and above all, the reflex to never click on a login link received by email.

Does your organization use Microsoft 365? At Rostel High-Tech, we audit your security configuration and train your teams against emerging threats. Contact us for a diagnostic.

Sources: FBI IC3 — Alert PSA260521 (May 21, 2026), Bleeping Computer, Malwarebytes, The Register, Infosecurity Magazine.