How Attackers Are Bypassing Microsoft 365 MFA in 2026

The FBI issued a formal warning last Wednesday about a tool called Kali365. It is a phishing-as-a-service kit that hijacks Microsoft 365 accounts without ever touching your password and without triggering a new multi-factor authentication prompt. Businesses that assume MFA closes the door on account takeover need to understand how this works.

The advisory is real. FBI PSA260521 dropped May 21. By the time it was published, hundreds of organizations had already been hit in April.

What Kali365 Is

Kali365 is a commercial attack kit sold via Telegram for $250 per month. (The name borrows from Kali Linux, the legitimate security testing platform. That appears intentional.) The operators run it as a subscription business with admin, reseller, and affiliate tiers. Proofpoint and Arctic Wolf documented the first campaigns in April 2026. Manufacturing, financial services, insurance, healthcare, and government organizations across North America and Europe were in scope. Every one of those victims was using MFA.

How It Bypasses MFA

The technique is called device code phishing. It abuses a feature Microsoft built for input-limited devices like conference room displays and smart TVs. Those devices cannot type a full login, so Microsoft lets them authenticate by having the user enter a short device code at login.microsoftonline.com on a separate device.

Here is what Kali365 does with that:

The victim gets a phishing email impersonating SharePoint, DocuSign, Adobe Acrobat Sign, or Microsoft itself. The email contains a device code and instructions to enter it at the real Microsoft verification page. The victim goes to the legitimate URL. They enter the code. Microsoft validates it.

But the attacker generated that code. The victim just handed them an OAuth access token and a refresh token. No password was ever exposed. No new MFA prompt fires. The attacker now has persistent access to Outlook, Teams, and OneDrive.

The refresh token is the real problem. It keeps the session alive long after the initial compromise. Traditional security tooling often misses this because the login technically succeeded from Microsoft's point of view. Attackers typically create inbox rules within minutes of gaining access, burying security notification emails in hidden folders.

Kali365 also has an adversary-in-the-middle variant. Victims are sent a phishing lure that proxies their browser traffic through attacker-controlled infrastructure to the real Microsoft login page. The victim completes the full login sequence including MFA. Their session cookies are captured in the process.

How We Got Here

Device code phishing started scaling in September 2025 when Russia-linked threat actors adopted it at scale. Financially motivated criminal groups followed by October. By February 2026, a similar kit called EvilTokens had commoditized the technique. Huntress tracked more than 340 compromised organizations in a single three-week window across five countries.

Proofpoint documented roughly seven distinct device-code phishing variants in a ten-day window in April 2026. Several appeared to have been developed with AI assistance, consistent with the broader AI phishing trend running through email campaigns this year. The barrier to running these attacks is low and dropping.

What Businesses Should Do

The FBI recommends three steps. First, audit your current device code flow usage. Some legitimate processes may depend on it, particularly conference room systems and specialty devices. Second, create a conditional access policy to block device code authentication for all users, with narrow exceptions only where genuinely required. Third, block authentication transfer policies to prevent session transfers between devices.

Those three steps require someone who knows your Microsoft 365 tenant. They need to know which systems actually use device code flow before locking it down, or they will break legitimate workflows in the process. They need to build the conditional access policy correctly so it catches the attack vector without disrupting daily operations.

A managed IT partner who actively manages your Microsoft 365 environment audits conditional access policies on a scheduled basis, monitors OAuth token grants for anomalies, and spots unusual authentication patterns before they compound. The Kali365 advisory is a good moment to confirm those controls are in place on your tenant.

If you are not sure whether your organization has a conditional access policy blocking device code flow, that is your answer.

Frequently Asked Questions

What is device code phishing?

Device code phishing abuses Microsoft's legitimate device code authentication flow, which was designed for input-limited devices like smart TVs and conference room displays. Attackers generate a device code, send a phishing email with it, and direct victims to the real Microsoft login page to enter it. When the victim does, the attacker captures valid OAuth tokens for the victim's account and gains persistent access without needing a password.

Does Kali365 steal passwords?

No. The attack captures OAuth access and refresh tokens. The attacker never touches your password because they do not need it. They have a token proving Microsoft already authenticated the user, and that token works to access Outlook, Teams, and OneDrive until it is revoked.

Will a hardware security key protect against this?

FIDO2 hardware keys and passkeys are resistant to adversary-in-the-middle attacks because they bind authentication to the legitimate domain. They do not help against device code phishing because the victim is not being prompted to authenticate themselves. Conditional access policy changes are the primary mitigation the FBI recommends for both variants.

How do I know if my Microsoft 365 account was compromised?

Watch for unfamiliar devices or sessions in your Microsoft 365 security dashboard, inbox rules you did not create (especially ones filtering emails containing words like "spam," "security," or "click"), and access from unexpected locations in OneDrive or Teams. Report suspected compromises at ic3.gov.

Is MFA still worth enabling?

Yes. MFA blocks the large majority of automated credential-stuffing and password spray attacks. The point of the Kali365 advisory is not that MFA is useless. It is that MFA configured to default standards is no longer sufficient against a determined attacker using current tooling. Layered controls, conditional access policies, and active monitoring are what close the remaining gap.