FBI Warning: Kali365 Is Bypassing MFA and Hijacking Microsoft 365 Accounts — What CT and NY Businesses Need to Do Now

If you use Microsoft 365 for email, file storage, or team collaboration — and your business is in Connecticut or New York — you need to read this now.

On May 21, 2026, the FBI's Internet Crime Complaint Center issued an urgent public warning about a new cyberattack platform called Kali365. It is actively targeting Microsoft Outlook, Teams, and OneDrive accounts across multiple industries. And the reason it's dangerous is that it bypasses the security controls most small businesses rely on — including multi-factor authentication.

What Is Kali365?

Kali365 is a Phishing-as-a-Service (PhaaS) platform. Think of it as cybercrime sold as a subscription — available on Telegram for roughly $250 per month. It gives low-skilled attackers access to:

• AI-generated phishing emails that are extremely difficult to distinguish from legitimate communications
• Automated attack templates requiring no technical knowledge to deploy
• Real-time victim tracking dashboards showing which users have clicked and what was captured
• OAuth token capture tools that are the core of what makes this attack so dangerous

First detected in April 2026, Kali365 has already been used against organizations in manufacturing, healthcare, financial services, and professional services. The FBI's alert confirms active targeting across multiple sectors.

How the Attack Works

The FBI describes this as "device code phishing." Here's the exact sequence:

1. The lure. You receive an email impersonating a trusted service — Microsoft, SharePoint, a document-sharing platform. It asks you to visit a legitimate Microsoft page and enter a short device code to complete an action.
2. The trap. You navigate to a real Microsoft URL. Nothing looks suspicious. The page is genuine. You enter the code.
3. The token theft. Behind the scenes, the attacker has captured your OAuth access token and refresh token — the credentials that tell Microsoft your session is already authenticated.
4. The persistence. The attacker now has full access to your Outlook, Teams, and OneDrive. No password needed. No MFA prompt. Ever again — until the token expires or is explicitly revoked.

The reason this attack is so effective is that the Microsoft page you land on is completely real. There is no fake login portal. There is no obviously suspicious URL. Your users have been trained to watch for red flags — but this attack has no red flags. It uses a legitimate Microsoft authentication flow that was designed for smart TVs and printers, and it weaponizes it against humans.

Why MFA Alone Is No Longer a Complete Defense

This is the hard truth, and it's important to state it directly: MFA is still critically important. You should absolutely have it enabled across your Microsoft 365 environment. But Kali365 renders standard MFA irrelevant by attacking the authentication layer above the password — the OAuth token.

Once the token is captured, the attacker has a persistent authenticated session. They don't need your credentials at all. They don't trigger an MFA prompt because as far as Microsoft is concerned, authentication already happened. The attacker's session looks exactly like a legitimate one.

This is a significant shift in the threat landscape. The standard advice — strong password plus MFA — is still good baseline hygiene. It is no longer a complete defense against this class of attack. The defense requires conditional access policies that restrict how authentication can occur, not just that it occurs.

Who Is at Risk

Any business running Microsoft 365 with default tenant settings is potentially exposed. Default M365 configurations allow device code authentication flow, which is exactly what Kali365 exploits. For small and midsize businesses in Fairfield County and Westchester, the risk is particularly acute for three reasons:

• Default M365 configurations allow device code authentication flow without restriction
• Most SMBs don't have conditional access policies configured beyond basic MFA enforcement
• IT oversight is often limited or reactive — active session monitoring isn't happening

The FBI has confirmed targets across manufacturing, healthcare, financial services, and professional services. If your business handles client data, financial information, or sensitive communications — and you're running M365 without hardened conditional access policies — you are in the risk population.

What to Do Right Now — Five Specific Actions

The FBI's recommended mitigations are specific and actionable. At Moore Technology Consulting, we are implementing all of these for managed clients this week.

1. Block device code flow via Conditional Access

Device code authentication is a legitimate Microsoft feature designed for smart TVs, printers, and IoT devices. Most businesses have no legitimate reason to allow it for user sign-ins. Create a Conditional Access policy that blocks device code flow by default, with narrow exceptions only where a specific business process genuinely requires it.

2. Audit existing device code flow usage first

Before you block it, identify whether any legitimate business processes depend on this authentication method. Check your Microsoft Entra sign-in logs for any device code flow authentication events in the past 30 days. Blocking without auditing can lock out legitimate workflows — printers, room booking systems, IoT devices.

3. Block authentication transfer policies

Prevent users from transferring authentication sessions from computers to mobile devices — this is another vector Kali365 exploits. Configure the relevant Conditional Access policies in Microsoft Entra to restrict cross-device session transfers.

4. Review active sessions and authorized devices today

Log into your Microsoft 365 admin center and review active sessions across your tenant. Look for any devices, sign-in locations, or session timestamps that don't look right. Pay particular attention to sign-ins from unusual geographies or at unusual hours. If you see something suspicious, revoke the session immediately and investigate.

5. Report it if you've been hit

If you suspect your environment has been compromised, file a report with the FBI's Internet Crime Complaint Center at ic3.gov. Include any phishing emails you received, suspicious login timestamps, IP addresses from the sign-in logs, and any unauthorized device activity you identified. This reporting helps the FBI track the campaign and may assist in any future enforcement action.

What Moore Technology Consulting Is Doing This Week

We manage Microsoft 365 environments for businesses across Fairfield County, CT and Westchester, NY. In response to this FBI alert, we are proactively reviewing tenant configurations for all managed clients this week to confirm that device code flow is restricted and that conditional access policies are in place and correctly scoped.

If you're not a current MTC client and you're not sure whether your M365 environment is exposed — the honest answer is that it almost certainly has default settings that leave this attack vector open. Default M365 configurations are not hardened configurations. The gap between "we have Microsoft 365" and "our Microsoft 365 is properly secured" is where Kali365 operates.

Sources

• FBI IC3 Public Service Announcement I-052126-PSA, May 21, 2026
• CISA Phishing Guidance: Stopping the Attack Cycle at Phase One