Kali365: The Phishing Kit That Makes MFA Irrelevant

The FBI has issued a formal warning about a phishing-as-a-service (PhaaS) platform called Kali365. First observed in April 2026, it targets Microsoft 365 accounts, bypasses MFA, and is available to cybercriminals for as little as $250 per month.

That means any low-skilled attacker can run a sophisticated phishing campaign against your organization.

How Kali365 Works

Kali365 doesn’t steal passwords. It steals something more valuable: OAuth access tokens.

The attack follows four steps:

1. Lure – An employee receives a phishing email impersonating a trusted cloud productivity or document-sharing service. The email contains a device code and instructions to visit a legitimate Microsoft verification page.
2. Authorization – The employee navigates to the real Microsoft page and enters the code, unknowingly allowing the attacker’s device to access their account.
3. Token theft – The attacker captures OAuth access and refresh tokens tied to the employee’s Microsoft 365 account.
4. Persistence – With valid tokens, the attacker accesses Outlook, Teams, and OneDrive without a password or any additional MFA challenges.

This technique is called device code phishing. It exploits Microsoft’s legitimate OAuth 2.0 authorization flow, turning a real authentication feature into an attack vector.

The result is that MFA enforcement, password managers, and credential monitoring all fail to prevent access. The victim successfully authenticates, and that access is handed directly to the attacker.

Why Kali365 Raises the Stakes

Kali365 didn’t introduce device code phishing. It industrialized it.

The FBI advisory notes that Kali365 “lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities.”

Device code phishing has seen rapid adoption across multiple threat actors and platforms in 2026. EvilTokens and Tycoon2FA now use the same technique.

Where Email Authentication Fits In

Kali365 attacks start with a phishing email. The email impersonates a trusted service. It contains a device code. It looks legitimate.

If that email is sent using a spoofed domain, strong email authentication stops it before it reaches the inbox.

A DMARC policy of p=reject instructs receiving servers to block emails that fail authentication checks. DMARC enforcement prevents attackers from spoofing your domain directly.

Research recently found that 74% of breached healthcare domains had ineffective DMARC protection. Without DMARC enforcement, spoofed sender addresses render normally in the inbox, giving phishing lures an unearned appearance of legitimacy.

DMARC doesn’t stop every phishing attack. It does block one of the most common ways attackers get phishing emails into inboxes. A Kali365 campaign targeting your employees becomes measurably less effective when those employees never see the lure.

What Your Company Should Do

• Restrict device code flow. The FBI recommends creating conditional access policies to block device code authentication for all users, with limited exceptions for verified business processes. Audit existing device code flow usage before implementing this change to avoid disrupting legitimate dependencies.
• Block authentication transfer. Prevent users from transferring authentication sessions from computers to mobile devices.
• Enforce a DMARC policy of p=reject. Move beyond monitoring mode. DMARC enforcement removes impersonation as a delivery mechanism for phishing lures targeting your employees, partners, and customers.
• Maintain unified visibility. Know which domains, email-sending services, and SaaS tools are active across your organization. Unauthorized or unauthenticated senders create gaps that attackers can exploit.
• Monitor continuously. Phishing platforms evolve. The threat landscape in June 2026 is different from what it was in January. Static security configurations can’t keep pace.

The Access Token Problem is Here To Stay

Kali365 is a symptom of a broader shift. Attackers have largely moved past credential theft. Session token hijacking is now one of the most common methods for persistent, undetected account access.

This matters because most enterprise security stacks are built to detect and prevent credential compromise. Token-based attacks require different controls: Conditional access policies, token revocation monitoring, anomalous sign-in detection, and enforced authentication boundaries.

The phishing email that delivers the device code is still the starting point. Companies that eliminate or reduce the effectiveness of that starting point, through DMARC enforcement, domain visibility, and authenticated email control, make every subsequent stage of the attack harder to execute.

If you’ve been using MFA as your primary defense against phishing, Kali365 is a clear signal that MFA alone is no longer sufficient.

Report It

If your business has been targeted by Kali365 or a similar phishing campaign, file a complaint with the FBI’s Internet Crime Complaint Center. Include any phishing emails (with headers), suspicious login events, and details of unauthorized devices or active sessions.

How Sendmarc Can Help

Sendmarc simplifies DMARC enforcement for enterprise organizations. The Sendmarc Platform manages DMARC, SPF, and DKIM configuration, provides continuous monitoring across all domains, and gives security teams unified visibility into every email-sending source. If your organization isn’t at p=reject yet, Sendmarc gets you there – and keeps you there.