A New Phishing Kit Beats Microsoft 365 MFA Without Stealing a Single Password

The login worked, the MFA prompt was real, and the attacker still got in

The most effective phishing attack of the moment does not ask for your password. It asks you to sign in normally, on the genuine Microsoft page, and to complete your multi-factor authentication exactly as you always do. You do everything right. The attacker walks away with a working key to your mailbox anyway.

That is the trick behind Kali365, a phishing kit the FBI flagged on May 21, 2026. It matters because it steps around the one defense most organizations spent the last five years rolling out, and it does so by folding that defense into the attack.

What the FBI found

Kali365 is a phishing-as-a-service platform (PhaaS, a subscription product that rents ready-made phishing tools to criminals who could not build them on their own). It surfaced in April 2026, sells mainly through Telegram for around 250 dollars a month, and bundles AI-generated lure emails, campaign templates, and a live dashboard that tracks which targets have taken the bait. Researchers logged hundreds of Kali365 attacks in April across North America and Europe.

The mechanism is what makes it dangerous. Kali365 abuses a legitimate Microsoft feature called device code authentication, the login flow built for gadgets that have no keyboard, such as a smart TV or a command-line tool. The attacker starts a real device-code sign-in with Microsoft and receives a genuine code. They email that code to the victim, dressed as a document-sharing or productivity alert, with instructions to open the real Microsoft verification page and type the code in. The victim does, completing their own password and MFA (multi-factor authentication, the second login step such as a code from a phone) on Microsoft's actual site. By entering the code, they authorize the attacker's device. Microsoft hands back OAuth tokens (the access and refresh tokens that prove an app is allowed into an account), and the attacker now reaches Outlook, Teams, and OneDrive with no password and no further prompts. The FBI lays out the full chain in its public advisory.

• The victim never visits a fake page. Every screen they see is hosted by Microsoft, which is why the usual hunt for a spoofed domain turns up nothing.
• The stolen refresh token grants lasting access, letting the attacker return to the account long after that single login, until someone explicitly revokes it.
• The kit lets low-skilled actors run the whole campaign, removing the technical barrier that once kept token theft in the hands of capable groups.

Why your MFA rollout did not stop this

The damage is plain and already widespread: persistent access to corporate email and files at hundreds of organizations, available to anyone with 250 dollars and a Telegram account. The sharper point for your team is that MFA, the control you trained everyone to lean on, does nothing against this attack. Kali365 does not steal a password and replay it. It steals the session that exists after a correct login, so the attacker inherits a connection that is already authenticated. If your security awareness training still tells staff to watch for a suspicious link or a fake login box, it is guarding a door the attacker no longer uses. The shift worth taking into a planning meeting is that attackers have moved their aim from credentials to tokens. A password can be reset and an MFA factor re-enrolled, but a live token silently grants the access both were meant to protect, and most defenses are still pointed at the password.

What to do about it

1. Block device code flow unless you genuinely need it. Create a Conditional Access policy in Microsoft Entra that disables device code authentication for all users, with narrow exceptions, because almost no ordinary employee ever uses it and it is the exact door Kali365 walks through.
2. Treat any emailed code with login instructions as hostile. Tell staff that a real service never sends a code and then asks them to enter it somewhere to verify a document, since the entire attack depends on the victim pasting that code into Microsoft willingly. Pair this with phishing-resistant logins where you can, following CISA's MFA guidance.
3. Hunt for stolen tokens and revoke them, do not just reset passwords. Monitor sign-in logs for new device-code grants and unfamiliar sessions, and revoke refresh tokens during any incident, because resetting a password leaves a stolen token still working.

Bottom line

Kali365 is a signal that the target has moved. For years the prize was your password, and MFA was the answer. This kit ignores both, letting you authenticate perfectly and then taking the token your authentication produces. Any defense that assumes a breach begins with a stolen credential will look straight past it. Bring one question to your next security review. If an employee signed in correctly today and an attacker still walked off with persistent access to their mailbox, would anything in your monitoring even notice?