The Microsoft Phishing Scam That Gets Past Your 2FA

The Microsoft Phishing Scam That Gets Past Your 2FA

It's 9:47am on a Tuesday. You get an email that looks like it's from Microsoft — clean design, no typos, the right logo in the right place. It says you have a pending device verification and includes a code to enter at microsoft.com/devicelogin. So you go there. You complete your normal two-factor authentication. Microsoft says everything's fine.

You are not fine.

That code wasn't connecting a new device of yours. It was connecting a scammer's device. You just handed them persistent access to your Outlook, OneDrive, and Teams — without clicking a fake link, without entering your password on a phishing page, without doing anything that would have tripped your usual instincts.

On May 21, 2026, the FBI's Internet Crime Complaint Center issued a formal public service announcement warning about a phishing kit called Kali365 that makes exactly this attack available to anyone with $250 and a Telegram account. Security firms Arctic Wolf and Proofpoint documented hundreds of confirmed attacks in April alone, before most people had even heard of it.

What Kali365 Actually Is

Kali365 is a criminal subscription service — what the security industry calls Phishing-as-a-Service (PhaaS). You pay $250 for 30 days, and you get a full toolkit: AI-generated phishing emails that don't look like they were translated from Russian, campaign management dashboards, real-time tracking of who clicked what, and — the part that matters — automated OAuth token capture.

That last piece is what defeats two-factor authentication. Not by intercepting your verification code or stealing your password. By tricking Microsoft's own servers into issuing authentication tokens to the scammer's device instead of yours.

The people selling Kali365 specifically designed it for less-technical scammers. You don't need to understand how OAuth works to run a successful campaign with it. You just need to follow the template and wait.

It's sold on Telegram. Not the dark web. Regular Telegram.

How Device Code Phishing Actually Works

The attack exploits a legitimate Microsoft feature called the OAuth device code flow. Here's what that means in plain English:

When you log into Microsoft 365 from a device that doesn't have a normal keyboard — an Xbox, a smart TV, a printer, certain apps — Microsoft sometimes displays a short code and tells you to go to microsoft.com/devicelogin on a separate device to enter it. This is a real Microsoft feature, built for real purposes.

Kali365 weaponizes it. Here's the step-by-step:

Step 1: The scammer generates a device code using their own device. This is a legitimate Microsoft-generated code — the attacker's setup requests it from Microsoft's servers.

Step 2: They send you a phishing email that looks like a Microsoft security alert, a shared document notification, or a Teams message. The email includes that device code and instructions to visit microsoft.com/devicelogin to verify your account.

Step 3: You go to the real Microsoft website — there's nothing fake about the URL. You enter the code. You complete your MFA challenge. Microsoft's servers confirm the authentication.

Step 4: The authentication tokens go to the device that generated the code. The scammer's device. Not yours.

You did everything right. Your two-factor authentication worked exactly as designed. And the scammer now has persistent access to your Microsoft account — no password required, no MFA code required — typically for several days until those tokens expire.

Why This One Is Harder to Spot Than Regular Phishing

I'll be honest: this attack is specifically designed to be invisible to the safety habits you've already built. The whole reason it works is that there's nothing standard advice will catch.

You check the URL — microsoft.com/devicelogin. It's real.

You look for typos — Kali365 uses AI-generated lures. They're cleaner than most.

You complete your MFA challenge — that's the step that harms you.

Compare this to the fake invitation email scam that spread in May: that one at least required you to enter credentials on a fraudulent page. Standard phishing gets you to give something to a fake site. Kali365 gets you to authorize something on a genuine Microsoft page — a completely different threat model.

The only thing to catch is in the email that starts the whole chain. And that's where you need to focus.

The Red Flags Hiding in Plain Sight

The attack has tells — they're just earlier in the process than most people look.

You didn't ask for a device code. This is the big one. Device codes come from device screens, not from email. If you weren't in the middle of connecting a new device to your Microsoft account, any email telling you to enter a device code is a scam — regardless of how legitimate the rest looks.

The sender domain isn't exactly right. Real Microsoft system email comes from @microsoft.com. Scammers use domains like microsoft-security.com, account-microsoft.co, or microsft.com. Check the actual from address, not just the display name.

There's urgency language. "Action required." "Your account will be suspended." "Verify immediately to avoid losing access." Microsoft's legitimate system notifications don't typically threaten account loss out of nowhere. That urgency is the scammer trying to get you to act before you think.

The email tells you where to enter the code. Legitimate device codes appear on the screen of the device you're setting up. If the instructions came via email, the code came from a scammer.

You don't recognize the context. You weren't setting up a new device. You haven't added any new apps. Nothing should have triggered a verification request. An out-of-nowhere "security verification" email is always worth a pause.

If you're not sure whether a Microsoft email is legitimate, the fastest check is to scan it before clicking anything — sender domain analysis and urgency flagging are exactly the kind of signals Cautellus surfaces.

If This Already Happened to You

Look — if you entered a device code from an email, you didn't do something stupid. This was designed to fool people who pay attention. Here's what to do now, in order:

1. Sign into your Microsoft account directly. Type account.microsoft.com into your browser yourself — don't use any link from any email. Go to Security → Sign-in activity.

2. Terminate active sessions. Look for a "Sign out everywhere" option. This revokes the stolen tokens and cuts off the scammer's access.

3. Change your Microsoft password. Even though the scammer didn't steal your password, a full reset is the right move here.

4. Check your Sent folder. Scammers with Outlook access often immediately forward the attack to your contacts. If they did, warn your contacts now.

5. Review email forwarding rules. A common post-compromise move is setting up a rule that silently forwards your incoming email to a scammer-controlled address. Check your inbox rules and delete anything you didn't create.

6. Audit connected apps and devices. Under your Microsoft account security settings, revoke access for any app or device you don't recognize.

7. File a report with the FBI. The IC3 is actively collecting Kali365 reports at ic3.gov. Include the phishing email headers, the device code you received, and any suspicious login timestamps from your sign-in activity log.

For the full post-compromise checklist, the account takeover recovery guide covers what to do when your email has been turned against your contacts.

How to Not Be the Next Victim

Two-factor authentication is still worth having. This attack doesn't invalidate all MFA everywhere — it exploits one specific Microsoft authentication flow. Here's how to protect your account against this particular threat:

Treat any emailed device code as a scam. Device codes come from device screens. Full stop. This one rule catches Kali365 completely.

Consider switching to passkeys or a hardware security key. FIDO2 hardware keys (like YubiKey) and Microsoft passkeys are cryptographically bound to the specific device and domain — device code phishing can't touch them. Microsoft supports passkeys on personal accounts now; it's about two minutes to set up in your account security settings.

Do a quarterly account audit. Every few months, open your Microsoft account security page and look at what devices and apps have access. Two minutes of review can catch unauthorized sessions before they become a months-long problem.

Be skeptical of Microsoft emails that ask you to act. That's not paranoia — it's just how the threat works right now. If an email from "Microsoft" wants you to enter a code, click a link, or verify something, navigate directly to Microsoft's website yourself rather than following the email's path.

If you get a suspicious Microsoft email and you're not sure, check it for phishing signs before you do anything with it. Cautellus checks sender domains against 10,000+ confirmed scam entities and flags manipulation patterns — urgency, impersonation, known malicious infrastructure — in under 30 seconds.

Scammers get smarter. So should we.

FAQ

Q: Does this attack only target businesses, or can personal Microsoft accounts be hit? The FBI documented attacks on organizations — manufacturing, education, government, financial services, healthcare — but the Kali365 technique works on any Microsoft account, including personal Outlook.com, Hotmail, and Microsoft 365 personal and family subscriptions. If you have a Microsoft account, this attack can reach you.

Q: My two-factor authentication is supposed to protect me. Why didn't it work? It did work — just for the wrong person. Kali365 exploits a legitimate Microsoft authentication flow where you complete MFA on Microsoft's real website, and the resulting tokens go to whoever submitted the device code. Since the scammer submitted the code, they got the tokens. The fix isn't turning off 2FA — it's knowing that device codes should only come from device screens, never from emails.

Q: What does the scammer actually get access to once they have my tokens? Everything connected to your Microsoft account: Outlook email, OneDrive files, Teams conversations, and any Microsoft 365 apps. The tokens are typically valid for several days, giving extended access without triggering a new login prompt.

Q: How can I tell if my account was already compromised? Go to account.microsoft.com → Security → Sign-in activity. Look for unfamiliar devices, apps, or login locations. Also check your Sent folder for emails you didn't write and your inbox rules for any forwarding rules you didn't create.

Q: Is $250 really all it costs for scammers to run this? Per the FBI and documented Telegram listings, yes — $250 for 30 days of Kali365 access. That includes AI-generated phishing templates, campaign management, and the token capture infrastructure. This is why the FBI flagged it: it puts a technically sophisticated attack in reach of scammers who couldn't have pulled it off before.

Q: What's the single most important thing I can do to protect my Microsoft account? Never enter a Microsoft device code that arrived in an email. Device codes appear on device screens — period. That one rule blocks Kali365 completely. For stronger protection, switch to passkeys or a FIDO2 hardware key, which are immune to this attack type.

---

Sources: FBI IC3 PSA260521 — Kali365 Phishing-as-a-Service Kit Hijacks Microsoft 365 Access Tokens (May 21, 2026); Arctic Wolf; Proofpoint