The unsettling part is that the victim does everything right. The email looks like a document share. The page they land on is the real Microsoft sign-in page, the genuine address, the correct padlock. They read a short code, they type it where they are told, and in that single obedient moment they hand a stranger a working key to their inbox. No password changes hands. No second-factor prompt fails. A grift that used to need a forged door now talks the mark into opening their own vault.That is the trick the FBI named on 21 May 2026, in a public service announcement through its Internet Crime Complaint Center, the IC3. The platform behind it is called Kali365, a phishing-as-a-service kit first flagged by the bureau in April 2026 and sold largely through Telegram, and its selling point is the line every security team now dreads: it captures Microsoft 365 access tokens and walks past multi-factor authentication while leaving the password untouched.Key TakeawaysKali365 is a phishing-as-a-service platform, distributed via Telegram, that hijacks Microsoft 365 accounts by abusing the legitimate OAuth 2.0 device-code login flow — capturing access tokens and bypassing MFA, with the password left out of it.The FBI warned about it in an IC3 public service announcement on 21 May 2026; the victim is tricked into entering a code on a genuine Microsoft page, which is what makes it hard to recognise.For roughly $250 a month it hands non-technical criminals AI-generated lures, automated campaigns, victim-tracking dashboards and token capture; researchers logged hundreds of attacks across North America and Europe.The operators announced an immediate shutdown minutes after the FBI advisory — which security firm SpyCloud reads as theatre rather than a genuine exit.The deeper shift: attackers are stealing post-login tokens rather than passwords, which is why MFA alone now falls short — and one Microsoft Entra Conditional Access setting closes most of the door.How does Kali365 break in without a password?It abuses a convenience feature, which is what makes it slippery. Microsoft's device-code flow exists for gadgets with awkward inputs — smart TVs, printers, conference-room systems, the streaming stick in your living room. You have used it yourself: sign into Netflix on a television, and it shows a short code to type into a web page on your phone, linking the two. Kali365 runs the same play with a stolen target. The mark receives an email dressed as a trusted cloud or document-sharing service, carrying a device code and a polite instruction to verify it at a Microsoft page. They go to the authentic page, enter the code, and authorise an attacker's device to their account — and security firm SpyCloud reports the kit then pairs that move with adversary-in-the-middle theft of the OAuth refresh tokens and session cookies, so the access sticks. From there the intruder reads Outlook, sits in Teams, browses OneDrive. The con works precisely because the door is real. The inside man is the victim's own trust in a genuine Microsoft form.Crime, sold by the monthWhat turns a clever technique into a public-safety warning is the shop front. Kali365's pitch is the burglar's toolkit, rented by anyone, no apprenticeship required. The FBI said the platform "lowers the barrier of entry," handing less-technical attackers AI-generated phishing lures, automated campaign templates, real-time dashboards for tracking individual targets, and the token-capture capability itself. SpyCloud's teardown fills in the rest of the kit on the workbench: around a dozen landing-page templates, a desktop "token browser" built for one-click inbox takeover, a "ghost mode" that suppresses the victim's security alerts, a contact harvester, and a keyword engine tuned to sniff out invoices and payment threads for business-email fraud. The going rate, per Bitdefender, ran near $250 a month or $2,000 a year. For the price of a mid-tier software subscription, a stranger gets a master key cut to fit eight million companies' front doors — and it was no abstraction, with researchers documenting hundreds of Kali365 jobs in April alone, across North America and Europe.The shutdown that reads as theatreThen came the vanishing act, and it deserves a raised eyebrow. Minutes after reposting the FBI's own advisory into its Telegram channel on 21 May, Kali365's operators announced they would close the website and discontinue operations effective immediately. A crew that reposts the police notice and then declares itself retired in the same breath is not a crew that has found religion. SpyCloud calls it what it resembles — takedown theatre, a curtain drawn so the same act can reopen under a new name. The timeline gives the lie a second wobble: SpyCloud traces branded Kali365 activity to 15 February 2026, roughly six weeks before the bureau's stated April debut, which means the operation ran quietly for longer than the official record shows. Treat the death notice as a costume, until the silence proves real.A strain that learned to dodge the vaccineStep back from the brand and the pattern is the actual story, because this technique has been spreading for more than a year. Device-code phishing first surfaced at scale with a suspected Russia-aligned actor Microsoft tracks as Storm-2372, which from around August 2024 used the method against government ministries, diplomatic missions, defence contractors, energy and telecom infrastructure, hospitals and universities across several continents, coaxing targets through fake Teams invitations. Call that the index case. The mutation came in 2026. A March coalition led by Microsoft and Europol took down Tycoon 2FA, the dominant phishing kit, and within weeks security firm eSentire watched its operators evolve into device-code phishing — the strain finding a new host the moment the old one was treated. MFA was the vaccine the whole industry rolled out against password theft, and it worked against that infection. This strain evades it by skipping the password entirely and lifting the session token that sits behind the login, the very thing MFA was meant to protect. The hard diagnosis for any security team is that MFA has become necessary and, on its own, insufficient.What actually stops it?One configuration setting does most of the work, and it is closer to an inoculation than a cure-chase. Microsoft Entra Conditional Access carries an Authentication Flows condition that blocks the device-code flow for ordinary users, allowing it only where a printer or a conference system genuinely needs it — and security analysts are blunt that this single control eliminates the attack class for the accounts it covers. Around it sit the booster shots: restricting OAuth app consent to admin-approved, verified publishers so the consent prompt cannot complete; turning on Continuous Access Evaluation so a revoked token dies in near real time rather than lingering; and device-compliance rules that lock access to enrolled machines, which an attacker's device will plainly fail. If a compromise is suspected, the response is to revoke the account's refresh tokens at once, strip out any freshly registered device, audit the inbox for sneaky forwarding rules, and force a fresh sign-in. The FBI's advice to ordinary users is simpler still: distrust any unrequested message bearing an access code, decline to enter codes you did not ask for, and report suspicious mail or unfamiliar device logins to the IC3. Chasing each new kit is treating symptoms. The Conditional Access policy is the jab.India's risk rides on Microsoft 365's reachFor an Indian reader the honest framing is exposure rather than a body count. The documented Kali365 attacks clustered in North America and Europe, and no India-specific victim tally has surfaced, so the right note to strike is caution, not alarm. The trouble is reach. Microsoft 365 is woven through Indian enterprises, state departments and the small-business base that runs on Outlook and Teams, and the device-code flow behaves identically in Mumbai and Munich, which means an Indian IT desk is defending against the same gap with the same Entra Conditional Access switch. The phishing email will arrive in regional dress — a fake GST document, a courier notice, a bank verification — yet the mechanism underneath stays the same, and so does the fix. The teams that have already turned off the device-code flow for ordinary users have little to fear here. The ones that have left it on for convenience are carrying a door they have stopped watching.Strip away the launch and the staged shutdown, and two durable facts remain. The name Kali365 may already be mid-rebrand, so guarding against a single brand is the wrong battle; the lasting shift is that token theft is now a commodity sold by subscription, and that the wall the industry spent a decade building — multi-factor authentication — has a side gate the attacker can talk you into opening. Watch for the same kit to surface under fresh branding, the way Tycoon 2FA's operators simply moved house. And watch whether Microsoft tightens the device-code flow by default, because the most permanent fix for a feature this easily abused sits with the platform that ships it, not with each employee asked, one more time, to spot a perfect forgery that happens to be real.Frequently asked questionsWhat is Kali365?Kali365 is a phishing-as-a-service platform, sold mainly through Telegram, that hijacks Microsoft 365 accounts. The FBI warned about it in an Internet Crime Complaint Center advisory on 21 May 2026. It abuses the legitimate OAuth 2.0 device-code login flow to capture access tokens and bypass multi-factor authentication, with the victim's password left out of the process.How does the Kali365 attack trick people?The victim gets an email posing as a trusted cloud or document service, with a code and instructions to verify it on a Microsoft page. Because the page is the genuine Microsoft sign-in page rather than a fake, the request looks safe — but entering the code authorises an attacker's device to the account. It is the same device-code mechanism you use to sign a smart TV into a streaming app.Does multi-factor authentication stop Kali365?On its own, MFA falls short here, because the attack steals the session token that sits behind a successful login rather than the password or the MFA code. The reliable defence is to block the device-code flow for ordinary users through Microsoft Entra Conditional Access, which removes the mechanism the attack depends on.Has Kali365 actually shut down?The operators announced an immediate shutdown minutes after the FBI advisory, but security firm SpyCloud treats that as theatre rather than a genuine exit, noting the kit may resurface under a new name. SpyCloud also traced Kali365 branding to mid-February 2026, earlier than the FBI's stated April first sighting, so the claim of a clean closure stays unverified.Is Kali365 a threat in India?No India-specific victim data has been reported — the documented attacks were in North America and Europe — but the exposure is high because Microsoft 365 is widely used across Indian organisations, and the device-code technique works the same everywhere. Indian IT teams defend against it with the same Conditional Access controls, and individual users with the same caution toward unrequested verification codes.end of article