Kali365: The Microsoft 365 Phishing Attack the FBI Is Warning Businesses About

A new Microsoft 365 phishing attack known as the Kali365 phishing kit is targeting businesses by abusing legitimate Microsoft authentication processes. The FBI has issued a public service warning about the threat, and cybersecurity researchers at Malwarebytes have been tracking its spread across organizations and individual users.

This one is called the Kali365 phishing kit, and what makes it so dangerous isn’t how complex it is — it’s how clean it looks to the person receiving it.

How the Kali365 Microsoft 365 Phishing Attack Works

Most people have been trained to spot phishing: fake login pages, weird URLs, emails from suspicious senders. Kali365 doesn’t use any of those tell-tale signs. Instead, here’s what actually happens:

• Step 1: Your employee receives an email that looks like a normal document-sharing notification or Microsoft Teams invite — the kind of thing they’d expect to get at work every day. The email includes a short “device code” and instructions like: “Go to Microsoft’s verification page and enter this code to view the document.”
• Step 2: The link takes them to a real Microsoft website — not a fake one. It looks exactly like the standard Microsoft sign-in and consent screens they see all the time. No typos. No odd URLs. Maybe it even shows their own company’s branding because it uses a legitimate Microsoft authentication flow.
• Step 3: They enter the code they were given. And just like that, without ever typing a password into a suspicious form or visiting a fake page, they’ve handed over full access to their account.

The attackers get long-lasting “refresh tokens” that let them stay in the account indefinitely until someone notices — and by then, there’s often nothing left to notice.

The Business Risks of a Microsoft 365 Account Takeover

Once inside a Microsoft 365 account, this isn’t just about reading emails. It’s about becoming your employee from the inside:

• Reading sensitive information: customer data, contracts, financial records sitting in OneDrive or shared documents
• Sending emails from their address: which means people who trust that person now get messages from them, and they’re even more likely to believe it
• Accessing calendars: learning about meetings, deadlines, and business operations
• Reaching contacts: using the trusted relationship to send phishing messages to everyone in their address book

In short, the attacker doesn’t just get into one account. They get a key to your entire network of trust.

Why the Kali365 Phishing Attack Bypasses Traditional Security Measures

The scary part about Kali365 is that it sidesteps everything you’ve been told to watch for. There’s no fake login page with misspelled domains. No suspicious sender address (the email can come from a compromised account). No malware attached to download. It exploits trust in the Microsoft ecosystem itself.

And because it uses real Microsoft authentication infrastructure, even multi-factor authentication tools built into Microsoft 365 won’t stop it — the user is genuinely completing a Microsoft-authorized process. They’re doing exactly what they’re supposed to do. They just don’t realize that “supposed to” includes the attacker in the chain.

How to Protect Your Business from the Kali365 Microsoft 365 Phishing Attack

The good news is you don’t need advanced technology to defend against this. Here are practical steps:

1. Talk to your team about “device codes.” If someone receives a message telling them to go to a Microsoft verification page and enter a code they didn’t request, that’s the red flag. Nobody needs to do that unless they initiated it — like when they’re setting up their own device.
2. Verify unexpected links before clicking. When an email says “click here to view a document,” hover over the link (or touch and hold on mobile) to see where it actually goes. If something feels off, ask your IT person or call the sender directly.
3. Review active sessions periodically. Your Microsoft 365 admin can check which devices are currently connected to employee accounts. Unusual devices or locations are a sign someone’s in without permission.
4. Use app passwords or conditional access policies if you don’t already. These add layers of verification that make stolen tokens much harder to use.
5. Know what to do if someone clicks. If an employee thinks they may have entered a code on one of these messages, tell them not to log out themselves — contact your IT support immediately so the attacker’s session can be blocked before they move laterally into other accounts.

Key Takeaways About the Kali365 Phishing Threat

The Kali365 attack isn’t some sci-fi cyber threat. It’s a clever twist on old-school phishing that works because it plays on trust rather than fear. Your team is smart, your software is up to date, and you’ve probably bought every security tool on the market — but no amount of technology helps if the person holding the mouse doesn’t know what to watch for.

The best defense is awareness. Share this with anyone who uses email at your business. If you’d like us to walk your team through what to look for, give us a call. We’d rather be the boring ones who prevented a problem than the ones who fixed one after the fact.

Got questions about Microsoft 365 security? Contact Nieto Technology. We’ll walk through what this threat means for your business, review your current security, and recommend practical steps to better protect your business.