- Key insight: Device-code phishing bypasses multifactor authentication by stealing the session token a user receives after passing the multifactor check. The second factor is satisfied, then sidestepped.
- What's at stake: Banks run their employees' email on Microsoft 365, and a quietly hijacked staff mailbox is the groundwork for wire fraud and business email compromise.
- Supporting data: Arctic Wolf says Kali365 rents for $250 for 30 days or $2,000 for a year, paid in non-KYC cryptocurrency, and lists financial services among its targeted sectors.
Overview bullets generated by AI with editorial review.
A new phishing kit lets criminals hijack Microsoft 365 accounts without stealing any passwords, allowing bad actors to subvert multifactor authentication on software that many bankers use.
The FBI's Internet Crime Complaint Center described the kit, called Kali365, in a
The criminals behind phishing-as-a-service products rent them to other criminals on a subscription basis. In this case, Kali365's operators sell it on
Kali365, which surfaced in April, works by stealing the access token Microsoft issues when someone successfully logs in.
Whoever holds this access token can reach Outlook, Teams and OneDrive "without needing a password or completing any additional multifactor authentication challenges," the FBI said.
Federal regulators have spent years pushing banks to guard their systems with more than just passwords. In
That guidance governs how banks authenticate everyone who reaches their systems, including employees.
Kali365 works around this guidance, and financial services sit squarely on its target list. Arctic Wolf, a security firm that
Steal the token, skip the password
Kali365 relies on a technique called device-code phishing, which abuses a legitimate Microsoft feature.
Microsoft's device-code sign-in exists to enable signing in on gadgets that are awkward to type on, like smart TVs and printers. Microsoft issues a short code displayed on the gadget, and the user types that code into a browser on another device.
Kali365 exploits this convenience feature.
The codes are genuine ones from Microsoft. The attacker first starts a device-code login of its own, the same request a printer or smart TV would make, and Microsoft issues a valid code in response. The attacker then puts that code in the lure.
The FBI lays out four steps from there: The attacker emails a lure dressed up as a document-sharing service, carrying the code; the victim enters it on the real Microsoft login page, unknowingly authorizing the attacker's device; the attacker captures the access tokens that result; and the attacker is in.
Crucially, this login flow includes the multifactor check. After the user has entered the device code and their password, they complete the multifactor check (entering a texted code or clicking a prompt in a Microsoft app).
From Microsoft's side, the login appears as a user logging into Microsoft 365 from one of these awkward-to-type-on devices.
In reality, this authentication step has enabled Kali365 to grab the session token Microsoft hands out on a successful login. The second factor does its job, and the attacker walks in behind it.
The result, Arctic Wolf wrote in an April report, is "a threat actor-controlled session that is indistinguishable from legitimate user activity."
Why a $250 phishing kit is a bank problem
Kali365 makers rent the phishing kit for $250 a month, or $2,000 a year, paid in hard-to-trace cryptocurrency, according to Arctic Wolf. The firm describes a tiered operation of authors, resellers and affiliates.
Device-code phishing started as nation-state tradecraft. Microsoft
The same method now sells by subscription, and the skill barrier has collapsed.
It is not the only such kit. Microsoft
The FBI says Kali365 likewise ships with AI-generated lures and campaign templates.
The accounts at risk include those of bank employees; Kali365 hijacks the corporate Microsoft 365 mailboxes that bank staff use for work, not the logins customers use for online banking.
Cloud-based software such as email and office productivity is the most widely used kind of cloud service among financial firms, the
Microsoft 365 is the leading suite of that kind, according to
Microsoft's device-code sign-in is also smoother for
Once inside a mailbox, Arctic Wolf found, Kali365 operators create inbox rules that automatically file away and mark as read any message mentioning words such as "phish," hiding the break-in.
In some cases, the firm found, they register their own devices as trusted to keep a foothold.
That kind of quiet, lasting access to an inbox is the setup for wire fraud and
Defenses exist. Better MFA is one of them.
The FBI's recommended defenses against Kali365 start with configuration changes.
The bureau urges companies to use conditional access policies, the rules that govern how users sign in, to block the device-code flow for all but a few business-critical accounts.
Audit existing use first, it says, and exempt emergency accounts so administrators don't lock themselves out.
The Cybersecurity and Infrastructure Security Agency, or CISA,
Attackers can phish most second factors, including push notifications and texted codes, the agency says.
The ones they can't are
Those tie the login to the genuine website, so a stolen token is worthless. CISA calls this "phishing-resistant" authentication.
The regulatory bar is already moving that way. The
In its section on multifactor authentication, the FFIEC pointed banks toward cryptographic tools to guard against the "modification, replay, or bypass" of an authentication factor by a malicious actor.
Kali365 is a prime example. And it only costs criminals $250 a month.
