Kali365: The Phishing Kit That Walks Past Your MFA

In April 2026, security researchers and the FBI started tracking a new criminal service called Kali365. It is sold as a subscription on Telegram, and it does something that should worry every business owner who runs on Microsoft 365: it takes over accounts without stealing anyone's password and without breaking through multi-factor authentication.

If your reaction is "we're fine, we have MFA turned on" — that is exactly the assumption this attack is built to exploit.

The short version

Kali365 is "phishing-as-a-service." For a monthly fee, a criminal with almost no technical skill gets AI-written phishing emails, ready-made templates, a live dashboard tracking their victims, and the tooling to hijack Microsoft 365 sessions. It lowers the bar so far that you no longer need a sophisticated attacker to be a target — you just need an employee with an inbox.

The reason it slips past MFA is that the victim does the authorising themselves, on a genuine Microsoft page.

How the scam actually works

The clever, and frankly nasty, part is that there is no fake login page to spot.

1. The lure. An employee gets an email that looks like a normal file-sharing or document notification. It contains a short code and asks them to go to a real Microsoft verification page and enter it.
2. The "verification." They visit the genuine microsoft.com page — the real one, correct address, valid certificate, everything — and type in the code.
3. The hand-over. That code doesn't verify them. It authorises the attacker's device to sign in as them. The employee has just handed over the keys without realising it.
4. Persistent access. The attacker now has a valid session token for Outlook, Teams, and OneDrive. No password needed. No further MFA prompt. They can read mail, download files, and impersonate the person — and they keep that access until someone actively revokes it.

The usual advice we all give staff — "check the web address is really Microsoft before you log in" — does not catch this, because the page genuinely is Microsoft.

Why "we have MFA" isn't the answer here

MFA is still essential, and you should absolutely keep it on. But MFA protects you when someone tries to log in as you. This attack never does that. It tricks your employee into approving a sign-in that's already happening on the criminal's machine.

It's the difference between someone trying to pick your front-door lock and someone calling you up, sounding official, and persuading you to read out the code that opens it. The lock works perfectly. It just wasn't the thing being attacked.

That's why the only durable defence is a combination of a configuration change in Microsoft 365 and people who recognise the trick.

What to do this week

Three things, in plain terms:

• Tell your team about device codes — today. The rule is simple: if you didn't just start signing in to something on a new device, never enter a code that arrives by email or message. A code you didn't ask for is a red flag, full stop.
• Ask your IT supplier to lock down "device code sign-in." This is the single most effective fix and most businesses don't need this feature at all. Details for them are below.
• Check who's actually signed in. Have someone review active sessions and registered devices on key accounts (finance, leadership, anyone with broad access) and sign out anything unfamiliar.

For your IT supplier

Pass this section to whoever administers your Microsoft 365 tenant:

• Create a Conditional Access policy that blocks device code flow for all users, with narrow, documented exceptions only where a real business process depends on it.
• Audit current device code flow usage first so you don't break a legitimate workflow when you turn it off.
• Block authentication transfer to stop sign-ins being moved from a computer to a mobile device.
• Exclude break-glass / emergency access accounts from the block so an over-tight policy can't lock you out of your own tenant.

None of this requires new software — it's configuration you already own.

Where ExposureIndex fits

To be straight with you: this is a token-theft attack, not a password theft. So leaked-password monitoring won't catch it, and there's no scanner that "blocks" it for you. The two things that actually move the needle are the M365 setting above and your people's instincts — and the second one is where we help.

• Phishing simulation. We can run a realistic device-code lure against your own team and show you, with names and numbers, who would have entered the code. It turns "we trained everyone" into evidence.
• Security awareness training. Short, plain-language training that builds the one reflex this attack relies on people not having.
• Pro advisory. If you're on the Pro plan, you get two hours a month with us — a sensible place to sit down with your IT supplier and confirm the Conditional Access change is done right.

The honest summary: the configuration fix closes the door, and testing your people keeps it closed.

Bottom line

Kali365 makes a serious account takeover available to unskilled criminals on a subscription, and it's designed specifically to make "we have MFA" a false comfort. The fix is cheap and quick: one configuration change in Microsoft 365, and a team that knows never to type in a code they didn't ask for.

If you'd like to know whether your staff would fall for this — before someone with bad intentions finds out for you — that's exactly the kind of thing ExposureIndex is built to test.