FBI Issues Urgent Warning About the Kali365 Scam – What Every Business and User Needs to Know
At Star Computer Services, we’re committed to keeping our clients informed about the latest cyber threats so you can stay one step ahead of cybercriminals. Recently, the FBI released a public service announcement highlighting a sophisticated new phishing tool called Kali365. This Phishing-as-a-Service (PhaaS) kit is making it easier than ever for even novice attackers to breach Microsoft 365 accounts.
If you use Outlook, Teams, OneDrive, or any other Microsoft 365 service, this alert is for you. Here’s everything you need to know about the Kali365 scam, why it’s so dangerous, and practical steps to protect yourself and your business.
What Exactly Is the Kali365 Scam?
Kali365 is a subscription-based cyberattack kit that first appeared in April 2026. It’s sold and promoted mainly through Telegram channels, giving less-experienced hackers access to powerful tools like AI-generated phishing emails, ready-made campaign templates, real-time victim tracking dashboards, and automated token capture features.
Unlike traditional phishing attacks that try to steal your password on a fake login page, Kali365 uses a smarter, more deceptive method called device code phishing (also known as OAuth device code flow abuse).
Here’s how the scheme typically works:
The Lure: You receive a convincing email that appears to come from a trusted cloud service or document-sharing platform. It might claim there’s a shared file waiting for you or an urgent verification needed.
The Device Code: The email includes a code and directs you to a legitimate Microsoft verification webpage.
The Trap: When you enter the code on the real Microsoft page, you’re unknowingly authorizing the attacker’s device to access your account.
Token Theft: The attacker captures OAuth access and refresh tokens. These tokens act like a digital “master key” to your Microsoft 365 environment.
The result? The attacker gains persistent access to your emails, files, chats, and other data — without ever knowing your password or needing to complete multi-factor authentication (MFA) prompts again.
How Dangerous Is Kali365? Real-World Impact
This scam is particularly insidious because it bypasses one of the strongest defenses many organizations rely on: MFA. Even if you’ve trained your team never to enter passwords on suspicious sites, this attack feels safe because it uses Microsoft’s own pages.
Potential consequences include:
- Theft of sensitive business data, client information, or intellectual property
- Email account takeover for further phishing or business email compromise (BEC) attacks
- Access to OneDrive and SharePoint for ransomware deployment or data exfiltration
- Identity theft and financial fraud using compromised accounts
- Lateral movement within company networks, leading to widespread breaches
The FBI notes that Kali365 lowers the barrier for cybercriminals, meaning more attacks from a wider range of threat actors. Organizations in manufacturing, education, government, healthcare, and finance have already been targeted.
Once attackers have those tokens, they can stay inside your accounts for an extended period, quietly stealing data or preparing larger attacks.
FBI Recommendations: How to Protect Yourself and Your Business
The good news is that there are effective ways to defend against this threat. The FBI and Microsoft emphasize proactive configuration changes over just user awareness.
Key protections recommended by the FBI:
- Block or restrict device code flow: Create Conditional Access policies in Microsoft Entra ID (formerly Azure AD) to limit or disable device authentication codes for most users. Only allow them where absolutely necessary for legitimate business needs.
- Audit before you block: Review current usage of device code flow in your environment to avoid disrupting essential processes.
- Prevent authentication transfers: Block policies that allow transferring authentication sessions from computers to mobile devices.
- For organizations that can’t fully disable it: Set up emergency access accounts that are excluded from restrictions to prevent lockouts.
Additional best practices from Star Computer Services:
- Enable and enforce strong MFA methods (like authenticator apps or hardware keys) everywhere possible.
- Train employees to be skeptical of unexpected “verification” requests, even on official-looking Microsoft pages. When in doubt, verify directly through the official app or portal instead of clicking email links.
- Monitor accounts for unusual sign-in activity or new device authorizations.
- Keep software updated and use advanced threat protection tools like Microsoft Defender.
- Report suspicious emails and incidents promptly to your IT team.
Regular security audits and professional managed IT services can help ensure these policies are correctly implemented without affecting productivity.
Stay Vigilant – Partner with Experts
The rapid evolution of tools like Kali365 shows why cybersecurity is an ongoing process, not a one-time setup. At Star Computer Services, we help businesses implement robust Microsoft 365 security configurations, conduct employee training, and provide 24/7 monitoring to catch threats early.
If you suspect your account may have been compromised or want a free security assessment of your Microsoft 365 environment, don’t hesitate to reach out to our team. We’re here to help you navigate these threats with confidence.
Stay safe online,
The Star Computer Services Team
