Kali365

How Kali365 Works Around MFA and Grants Attackers Microsoft 365 Access

The FBI has reported a new phishing-as-a-service kit that’s making the rounds, and this one is a doozy. Known as Kali365, this tool lets hackers bypass multi-factor authentication (MFA) in Microsoft 365 without ever needing to steal passwords.

MFA is one of the most effective and widely recommended ways to secure online accounts, stopping up to 99% of account-based attacks. So when an attack has a workaround for this critical security feature, it’s worth paying attention to.

Here’s what you need to know:

Convenient Logins Manipulated

Have you ever linked one of your accounts, such as Google or YouTube, to a Smart TV, but instead of typing a password, you just entered a short code or approved a prompt?

This is called device-code login. It’s a quick and easy way to connect your device without repeatedly entering your password or MFA prompts, especially when you don’t have access to a computer or keyboard. When used correctly, it’s convenient and secure.

However, attackers have learned how to exploit this process to trick users into approving logins they didn’t intend to grant.

It’s this exact technology that Kali365 takes advantage of.

Kali365 In Action

You receive an email. Someone is trying to share a document with you through DocuSign. All you need to do is follow the verification steps included on the email.

What you don’t realize is that this is a phishing email, and right now a hacker is actively trying to get access to your Microsoft account.

On the attacker’s side, they’ve started a real Microsoft device-code login process. Microsoft generates a temporary 8-digit code tied to that login attempt and tells them:

“Enter this code on a Microsoft sign-in page to continue.”

That code is what links their session – similar to when you sign into an app on your smart TV using a code instead of a password.

The hacker then takes that real code and disguises it in the fake DocuSign email.

To you, it just looks like a normal verification step. You click “Open,” and you’re taken to a legitimate Microsoft verification page. It looks official because it is a real Microsoft website. But instead of verifying a document, you’re actually completing the hacker’s login request for them.

You type in the code, hit submit, and boom – you just granted a hacker access to your account.

On Microsoft’s side, nothing looks wrong. The request appears legitimate, so it approves the login as if it were you. No password was stolen, and MFA was considered successful. You simply approved a session without knowing it.

Even worse, once access is granted, the hacker can maintain persistent access to your account. They won’t need to log in again as long as that access remains active.

And that’s exactly what makes this so dangerous.

Why Kali365 Makes Things Worse

What makes this attack especially dangerous is how easy it is for attackers to use.

Tools like Kali365 are part of what’s called phishing-as-a-service – subscription-based hacking tools. Instead of needing advanced skills, attackers can pay for access and get premade, ready-to-go phishing kits.

These platforms can include:

  • Pre-built phishing pages that look like legitimate login screens.
  • Automated campaign tools to send out phishing emails with fake login links.
  • Dashboards that track who clicked and who entered codes.
  • AI-generated messages designed to trick users into clicking.

In the past, these types of attacks required technical expertise and years of experience. Now, they can be run by almost anyone willing to pay for them.

How to Stay Safe

Kali365 is a powerful phishing kit, but there are a few ways you can keep your business safe:

  • Work with your IT team to limit unnecessary device-code logins and tighten account security settings.
  • Be cautious with unexpected sign-in prompts, even if they look like they’re from Microsoft.
  • Never copy or enter verification codes unless you are certain the request is legitimate.
  • When in doubt, verify through a separate channel by going directly to official websites.
  • Report any phishing email or suspicious login attempts to your IT team or file a complaint with the Internet Crime Complaint Center (IC3).

Moral of the Story

Kali365 because it uses legitimate Microsoft login requests to trick users into handing over account access.

The safest defense is to slow down, question verification prompts, and never grant sign-in access to anything you aren’t 100% confident about.

At The 20 MSP, we help organizations stay secure by handling the backend engineering – like blocking unauthorized device-code flow entirely – while also training your team to recognize and avoid these threats before they succeed.

If you’re looking for a security partner, let’s talk. Working together is the most effective way to stay ahead of modern phishing attacks.

FAQ

What is device-code authentication?

It’s a login method commonly used for devices like smart TVs, streaming devices, and apps that make typing passwords difficult. Users enter a code on another device and complete the login process more easily.

How does Kali365 get around MFA?

Kali365 abuses device-code authentication by disguising this login code in a phishing email, specifically as if it were part of a normal verification step. The user thinks they are verifying a document, but they are actually granting the attacker access to their account by entering the device code.

How can I protect my business from attacks like this?

The best defense is to limit unnecessary device-code authentication, implement stronger access policies, train employees to recognize phishing attempts, and monitor for suspicious sign-in activity.

Want more tips like this?

Subscribe using the form on the right and get our latest insights delivered straight to your inbox.

About The 20 MSP

As a leading provider of managed IT services, The 20 MSP serves thousands of businesses nationwide, providing each one with white-glove service, secure and streamlined IT infrastructure, and 24/7/365 support. We believe in building lasting relationships with clients founded on trust, communication, and the delivery of high-value services for a fair and predictable price. Our clients’ success is our success, and we are committed to helping each and every organization we serve leverage technology to secure a competitive advantage and achieve new growth.