FBI Microsoft 365 Alert: Kali365 Scam Explained

On May 21, 2026, the FBI published alert I-052126-PSA confirming what many security teams in Brazil already suspected: the FBI Microsoft 365 alert describes a phishing-as-a-service platform called Kali365, active since April, capable of hijacking OAuth tokens from Outlook, OneDrive, and Teams without needing your password and without triggering MFA. If your company uses Microsoft 365, this post explains how the scam works and what to adjust in Entra ID this week.

TL;DR

• The FBI issued alert I-052126-PSA on 05/21/2026 regarding the Kali365 platform, sold on Telegram since April 2026.
• The attack uses device code phishing to capture OAuth tokens — bypassing most MFA configurations.
• Outlook, OneDrive, and Teams are the target services. The attacker operates as the user until the refresh token expires.
• The main mitigation is blocking the device code flow via Conditional Access and reviewing break-glass accounts.
• Brazilian companies with Entra ID without mature policies are especially exposed — the kit already comes with AI-generated lures in Portuguese.

What the FBI Alert Says About Microsoft 365 and the Kali365 Platform

The FBI Microsoft 365 alert published by the Internet Crime Complaint Center (IC3) is categorical: the Kali365 platform began being observed in real campaigns in April 2026 and, in just over a month, has already hit hundreds of organizations as victims. The kit is sold as a service (PhaaS — phishing-as-a-service) on Telegram channels, with real-time dashboards, automatic AI-generated emails, and per-target tracking reports.

The choice of Microsoft 365 is no accident. The ecosystem concentrates three products that together form the nervous system of many companies: email (Outlook), storage and collaboration (OneDrive), and internal communication (Teams). Whoever gets into one, gets into all three. And contrary to what many administrators assumed, the FBI Microsoft 365 alert makes clear that it's not just the retail side of cybercrime using it: the kit is designed to lower the barrier to entry and allow less technical operators to run entire campaigns with few clicks.

The official communication is at ic3.gov/PSA/2026/PSA260521{target="_blank"} and references number I-052126-PSA. If you work with corporate IT or governance in Brazil, it's worth attaching this reference to your next risk report.

How Kali365 Works: Device Code Phishing in 4 Steps

Unlike classic phishing — which clones login pages and tries to steal passwords — Kali365 exploits a legitimate Microsoft flow called device code authentication. It's the same flow used when you log into a smart TV or console: the device shows a short code and asks you to type it on an official Microsoft page.

Step 1 — The lure arrives via email or Teams

The victim receives a convincing notification: "a financial document has been shared with you," "invitation for Q2 review meeting," or "pending compliance audit." The text is AI-generated, adapted to the target's language and context, and usually comes from a look-alike domain or a legitimate already compromised account.

Step 2 — The user enters the official Microsoft portal

Here lies the sophistication: the lure's link points to microsoft.com/devicelogin — a real page, with a valid certificate, no visual anomalies. The victim is instructed to enter a short code (eight digits) supposedly to "validate the document" or "join the meeting."

Step 3 — The OAuth token is captured

The entered code belongs to a session initiated by the attacker. When the victim completes the login (including passing MFA, because yes, it's the real Microsoft), Microsoft issues an access token + refresh token pair linked to the "device" controlled by the attacker. Kali365 captures this token via API.

Step 4 — Persistent access without a new password

With the refresh token in hand, the attacker can generate new access tokens for days or weeks, without a new MFA challenge. It's as if they have a copy of your keys, but the lock system doesn't even notice — the FBI Microsoft 365 alert calls this "long-term access" and estimates the access lifespan as long as the refresh token is valid (up to 90 days by default in Entra ID).

Why Traditional MFA Doesn't Protect You This Time

Many administrators breathe a sigh of relief when they see MFA enabled for the entire tenant — and that confidence is exactly what Kali365 exploits. Traditional MFA validates that someone legitimate is authenticating; it does not validate which device the token will be issued to.

When the user enters microsoft.com/devicelogin and fulfills all factors, they approve the attacker's session without realizing it. There is no "fake page" to detect, no certificate error, no strange domain. Email filters based on malicious URLs also go blind, because the link is literally from Microsoft.

The only structural defense is a combination of:

• Conditional Access blocking or restricting the device code flow (the FBI's first recommendation in the PSA).
• FIDO2 keys with device binding (phishing-resistant passkeys).
• Sign-in risk policies from Entra ID Premium P2 with blocking on high risk.
• Token Protection (in preview in Entra ID), which binds the token to the source device.

For teams that still rely only on TOTP or SMS, the FBI Microsoft 365 alert is a direct warning: the security floor has risen — and those who stay below it pay dearly.

Traditional Phishing vs. Kali365 Attack

Aspect	Traditional Phishing	Kali365 (device code)
Login page	Cloned, on fake domain	Real (microsoft.com)
What is stolen	Password + second factor	OAuth token (access + refresh)
Does SMS MFA protect?	Often yes	No
Does app/TOTP MFA protect?	Yes, mostly	No
Does FIDO2 key protect?	Yes	Yes, with token binding
Persistence time	Short (until password change)	Long (refresh token lifetime, up to 90 days)
Detection by antivirus	Medium	Practically none
Detection by URL filter	Good	Almost none (URL is legitimate)
Signal in SIEM	Login at unusual time/location	Session from unknown device

The honest reading of this table is uncomfortable: most defenses that Brazilian companies have purchased over the last five years were designed against the phishing in the left column. Kali365 lives in the right column.

What the Attacker Can Do Inside Outlook, OneDrive, and Teams

When the token falls into hostile hands, the damage goes far beyond "reading emails." The FBI Microsoft 365 alert lists patterns observed in real victims — and all fit within what a regular user could do, making detection difficult.

• Outlook: creation of inbox rules that silently forward and delete — classic for BEC (Business Email Compromise) fraud and payment diversion. The attacker monitors exchanges with suppliers and injects a fake invoice with an altered PIX at the right moment.
• OneDrive: mass download of entire libraries (contracts, financial spreadsheets, customer data), planting files with malicious macros in team-shared folders, and abusing the "Anyone with the link" sharing feature for discreet extraction.
• Teams: posting as the compromised user in internal channels, creating meetings with external guests for reconnaissance, and stealing chat data (which often contains credentials and secrets shared carelessly).

This is not theory. Public cases already show that when the attack is industrialized by a kit like Kali365, the average time between compromise and measurable financial damage is decreasing. In analogous contexts, such as the supply chain attacks on NPM, we saw similar vectors — abuse of legitimate authentication flows — causing millions in losses within hours.

How to Detect Kali365 Compromise in Your Tenant

Early detection in this scenario depends on telemetry. Traditional antivirus and antispam tools won't deliver. What works:

Entra ID Audit Log

In the entra.microsoft.com portal → Monitoring & Health → Audit logs, filter by Sign-in logs and look for:

• Recent mass Device Code Authentication events.
• Logins from devices with unknown Device ID and Compliant: No.
• Geographic locations inconsistent with the employee's profile.
• Applications with offline_access permission issued outside the norm.

Suspicious Inbox Rules

PowerShell to scan recently created rules:

Get-Mailbox -ResultSize Unlimited | ForEach-Object {
  Get-InboxRule -Mailbox $_.Identity | Where-Object {
    $_.WhenChanged -gt (Get-Date).AddDays(-30) -and
    ($_.ForwardTo -or $_.DeleteMessage -or $_.MoveToFolder -like "*RSS*")
  }
}

Rules that forward to an external domain and delete the original are a classic red flag.

Microsoft 365 Defender and Purview

If your license allows, use Microsoft 365 Defender to hunt for sessions with RiskLevelAggregated: high or unfamiliarFeatures. Purview Audit (Premium) retains events for up to a year and allows reconstructing the incident timeline. Teams without these licenses need at least to export Entra logs to an external SIEM — we've seen Brazilian teams adopting this routine after the malicious VS Code extension case on GitHub.

What to Do Now: Conditional Access and Blocking the Device Code Flow

The FBI Microsoft 365 alert brings a very specific operational recommendation: create a Conditional Access policy that blocks the device code flow for most users, opening exceptions only for legitimate cases (authentication on keyboard-less devices like kiosks and some meeting cameras).

Action plan for this week, in priority order:

1. Audit current device code flow usage. In Entra ID, filter Sign-in logs by Authentication Protocol: Device Code. List who uses it, when, and why. Without this baseline, any block will break production.
2. Create a Conditional Access policy "Block Device Code Flow". Apply to "All users", exclude a group CA-Exception-DeviceCode with few auditable members, and also exclude break-glass accounts.
3. Enable grants for "Require phishing-resistant MFA" for administrative access. Passkeys and FIDO2 are the standard to aim for.
4. Shorten refresh token lifetime via Conditional Access "Sign-in frequency", forcing reauthentication every 7 days for sensitive users.
5. Activate Token Protection (preview) for critical sessions, binding the token to the device.
6. Configure alerts in Defender for Cloud Apps for creation of inbox rules with external forwarding.
7. Train users with a specific focus on the "enter this code here" pattern — it's the new "click here and type your password."

Document each policy. In an incident, your ability to prove what was enabled matters as much as the defense itself — it's important for auditing, cyber insurance, and LGPD.

Response Plan if an Account Has Been Compromised

Assume the worst: you confirmed a suspicious sign-in via device code 12 hours ago and the user doesn't recognize it. Order of actions:

1. Revoke all user sessions. In Entra ID, open the profile → "Revoke sessions". This invalidates issued tokens, including refresh tokens.
2. Force password reset and reapply MFA. If MFA fatigue is suspected, register a new FIDO2 method.
3. Inspect and remove inbox rules created or changed in the last 30 days.
4. Audit application consents in "Enterprise applications" → "User settings" and revoke any unrecognized app.
5. Download the full Entra Audit Log timeline for the period. Preserve for forensics.
6. Notify potentially affected parties — customers, suppliers, and if personal data is exposed, prepare communication to ANPD within the LGPD deadline.
7. Report to IC3 at ic3.gov with full headers of the lure, suspicious session IDs, and any artifacts. The FBI aggregates this data to correlate global campaigns.

Mature teams already have a runbook for this. Those who don't, this is the moment — creating the document after the incident is expensive and stressful.

Conclusion: The FBI Microsoft 365 Alert Closes an Era

The FBI Microsoft 365 alert about Kali365 marks an important point: the era of "MFA enabled equals secure company" is over. Those operating Microsoft 365 in Brazil in 2026 need to look at Conditional Access, FIDO2, and Entra ID telemetry as basic infrastructure, not a future project. It's not alarmism — it's the new floor.

If you want to review your M365 security posture or design Conditional Access policies appropriate to your operation's size, talk to me. We work with Entra ID governance, authentication modernization, and incident response for Brazilian teams living within the Microsoft ecosystem.