A new hacking kit, called Kali365, attacks Microsoft 365 users. This criminal tool is capable of taking control of an Outlook, Teams or OneDrive account without stealing a single password, and making double authentication completely useless.
Since April 2026, a hacking platform, called kali365, has become increasingly popular in the world of cybercrime. Promoted on Telegram channels, the platform is sold through a subscription, starting at $250 per month or $2,000 per year. The tool is part of the trend of PhaaS (Phishing-as-a-Service) these turnkey phishing kits that make life easier for cybercriminals.
Also read: Microsoft unmasks a cyberattack hiding in Google results and AI responses
Hundreds of attacks in a few weeks
By subscribing to a subscription, any cybercriminal, even without the slightest technical skills, can launch phishing attacks formidable tools designed to take control of Microsoft 365 accounts. The Kali365 toolbox includes phishing emails generated by artificial intelligence, automated campaign models, real-time dashboards and above all, a connection token capture system.
According to the warning issued by the FBI, hundreds of attacks have already been documented since April 2026. Among the targets are many organizations in North America and Europe that use Microsoft 365 as part of their activities. As MalwareBytes researchers point out, who relay the FBI’s warning, the kit is mainly designed to hack businesses, but it also represents a serious threat to “individual Microsoft 365 users”.
Also read: Why Microsoft is burying double authentication by SMS
An official mechanism exploited by hackers
The offensive begins with a fraudulent email. The email is disguised as a notification from a cloud service, such as a Teams document share, a OneDrive alert, or a meeting invitation. The email contains a one-time use code. The message asks the user to go to “microsoft.com/devicelogin” to enter the code. This is indeed an official Microsoft domain, without the slightest spelling error in the URL. This is where Kali365 shows himself to be particularly formidable and vicious. Indeed, the kit does not use dummy copies of the official Microsoft website. Rather, the hacking platform exploits an official and legitimate mechanism of the group.
When the user enters the code on the real Microsoft page, they do not log in to their own account. In fact, he goes without realizing it authorize the hacker’s device to log in to your Microsoft account. The trick relies on the device code authentication flow. It’s a system used by Microsoft to connect devices that don’t have a keyboard, like a smart TV or connected printer, to an online account. The device in question displays a code, the user enters it on their phone or PC, and the connection is established.
In this case, the hackers collect this code and send it by email to the user, slipped into a false notification. For its part, Microsoft sees nothing abnormal in the connection. In the eyes of the company’s servers, the approach is perfectly legitimate and simply shows that a user has connected a device to their Microsoft 365 account. Using the tools integrated into Kali365, the attacker will then seize an OAuth token, that is to say a session access token, which will open the doors to Outlook, Teams and OneDrive. All cloud applications connected to the account potentially end up in the hands of cybercriminals. The attacker can take advantage of this to “send phishing emails to colleagues, clients, friends or relatives from the victim’s account”which increases the scope of the attack, warns MalwareBytes.
Unnecessary double authentication
In the case of this type of cyberattack, the presence of a multi-factor authentication system is absolutely useless. This protection is in fact designed to prevent an attacker from connecting to your account for you. However, in the eyes of Microsoft, it is you yourself who granted the device access to your Microsoft 365 account. On paper, there is therefore no reason for Microsoft to require an additional connection code. Additional codes or authenticator apps “are no longer useful once the token has been compromised”explique MalwareBytes.
How to protect yourself against Kali365?
In their warning last month, FBI agents recommended that Microsoft 365 users take strong steps to protect themselves against Kali365. The FBI advises block device code authentication flow in Microsoft administration, by going to the conditional access policies in the Entra ID section. This option allows you to deactivate or restrict the mechanism used by Kali365 to orchestrate cyberattacks.
For their part, MalwareBytes researchers never enter a “code on a Microsoft login page just because an email or message prompts you to do so”. If an email or message asks you to enter one without you having done anything first, it is most likely a hacking attempt. Before validating anything, you must always read each instruction carefully. Furthermore, it is recommended to regularly monitor devices connected to your account on « account.microsoft.com/devices ». If a device or session seems unknown to you, you should delete it immediately, and change the account password urgently.
👉🏻 Follow tech news in real time: add 01net to your sources on Google, and subscribe to our WhatsApp channel.
