The $250 Phishing Kit That Renders Your Password — and Your MFA — Useless

On May 21, 2026, the FBI's Internet Crime Complaint Center published a public service announcement about a phishing-as-a-service platform called Kali365 that has been hijacking Microsoft 365 access tokens since April [1]. The warning arrived weeks after security firms Arctic Wolf and Proofpoint documented hundreds of compromises across manufacturing, education, government, insurance, financial services, and healthcare in North America and Europe [2][3].

What makes Kali365 different from the credential-harvesting kits that preceded it is not sophistication — it is accessibility. For $250 a month, anyone with a Telegram account can run a phishing campaign that bypasses multi-factor authentication entirely, without ever stealing a password [4].

How Device Code Phishing Works

Traditional phishing tricks a victim into entering credentials on a fake login page. Kali365 does not do this. Instead, it exploits a legitimate Microsoft authentication feature called the OAuth 2.0 Device Authorization Grant (RFC 8628), designed for devices like smart TVs that lack a full browser for interactive logins [5].

The attack works in four steps. First, the attacker uses Kali365 to generate a device code through Microsoft's authentication servers. Second, the victim receives a phishing email — impersonating Adobe, DocuSign, or SharePoint — containing that code and instructions to visit Microsoft's real verification page at microsoft.com/devicelogin [3]. Third, the victim enters the code and completes their normal login, including any MFA challenge. Fourth, Microsoft issues OAuth access and refresh tokens to the attacker's device, granting persistent access to the victim's Outlook, Teams, and OneDrive [1][4].

The victim has authenticated legitimately. From Microsoft's perspective, the login succeeded exactly as designed. The attacker never touched a password. MFA was completed by the victim themselves, on the attacker's behalf [5].

"The captured tokens prove to Microsoft's servers that a user has authenticated successfully — without containing a password and without triggering an MFA challenge," Arctic Wolf's technical analysis noted [3]. The refresh tokens persist even after a password reset, giving attackers continued access until the tokens are explicitly revoked [5].

The Kali365 Business Model

Arctic Wolf's investigation revealed a three-tier commercial structure: an admin tier for the kit's developers, an agent tier for resellers, and a client tier for paying criminal affiliates [3]. The platform charges $250 for 30 days or $2,000 for a full year of access [1][4].

For that subscription, affiliates receive AI-generated phishing lures in dozens of languages, automated campaign templates, real-time tracking dashboards showing which victims have authenticated, and a downloadable desktop application [2][3]. The kit produces branded HTML phishing pages mimicking common enterprise services and can be operated by individuals with minimal technical skill [4].

The FBI has not publicly estimated total revenue generated by Kali365's operators. The platform's pricing and distribution model — sold openly on Telegram — mirrors that of its predecessors. LabHost, which operated from November 2021 to April 2024, charged $179 to $300 per month and attracted approximately 10,000 paying cybercriminals worldwide [6][7].

Source: Various security firms

Data as of May 25, 2026CSV

Scale of Compromise

The FBI's PSA states that Kali365 has targeted "hundreds of organizations" since April, with security firms reporting hundreds of compromises occurring daily across affected environments [1][2]. The sectors hit include manufacturing, education, government, insurance, financial services, and healthcare — a cross-section that tracks with Microsoft 365's dominance in enterprise productivity [3].

Kali365 is not operating in isolation. In February 2026, a related PhaaS platform called EvilTokens emerged on Telegram using the same device code phishing technique. By mid-March, Huntress and Microsoft had confirmed that EvilTokens had compromised more than 340 organizations across the United States, Canada, Australia, New Zealand, and Germany [5][8]. Affected sectors included construction, nonprofits, real estate, legal services, and local government [8].

The combined picture: two device-code-phishing platforms, active for a combined five months, have compromised well over 500 organizations across at least seven countries. By comparison, the Lapsus$ group's 2022 campaign — which relied on SIM-swapping and social engineering rather than PhaaS tools — targeted a smaller number of high-profile companies including Microsoft, Nvidia, and Okta [9]. The distinction is scale versus selectivity: Lapsus$ and Scattered Spider targeted specific high-value organizations, while Kali365 and EvilTokens enable mass-market credential theft [9].

Why MFA Is Not Enough

Microsoft 365 has approximately 450 million commercial paid seats globally as of January 2026, and 75% of Fortune 500 companies use it as their primary productivity suite [10]. The platform's security defaults — enabled for all new tenants since October 2019 — require MFA for all users [11]. Yet device code phishing renders standard MFA irrelevant because the victim completes the MFA challenge themselves.

The countermeasure that would stop Kali365 is phishing-resistant authentication using FIDO2 passkeys or hardware security keys. These bind the authentication credential to a specific domain, so even if a victim is tricked into visiting a phishing page, the key will not release credentials to an unauthorized party [12]. Microsoft Entra ID natively supports FIDO2 passkeys, and as of April 2026, Microsoft Registration Campaigns actively prompt users to enroll [12].

Adoption numbers tell a more complicated story. According to the FIDO Alliance's 2025 State of Authentication survey, 87% of enterprises report they are "deploying or piloting" passkeys [13]. But the cross-industry average for active passkey usage among eligible users stands at roughly 33–38% in 2026, with wide variation: fintech leads at approximately 60%, while media and entertainment trails at 18% [14]. B2B SaaS — the category most relevant to Microsoft 365 enterprise tenants — sits at 28% [14].

The gap between "piloting" and "enforcing" is where Kali365 operates. Organizations that have enabled FIDO2 but have not created Conditional Access policies requiring it for all users remain vulnerable. Microsoft's own documentation notes that security defaults "aren't designed for enterprise environments" because they "enforce blanket policies that can't be tailored to business needs" [11]. Enterprises need Conditional Access policies — available only with Microsoft Entra ID P1 licensing or higher — to mandate phishing-resistant authentication [11].

The Financial Exposure

Once an attacker holds a valid OAuth token for a Microsoft 365 account, the downstream damage extends well beyond email access. Arctic Wolf documented a post-compromise workflow that includes mailbox access, contact harvesting, lateral phishing to other employees and business partners, keyword monitoring for financial terms like "invoice" and "wire transfer," and the creation of malicious inbox rules to suppress security notifications [3][4].

This workflow feeds directly into business email compromise (BEC), which the FBI's 2025 IC3 Annual Report identified as a $3.05 billion problem — up from $2.94 billion in 2023 — with an average loss of $122,000 per complaint [15]. The per-complaint average understates the enterprise risk: a single compromised account at a managed service provider (MSP) managing multiple Microsoft 365 tenants can provide access to every downstream client [4].

Source: FBI IC3 Annual Reports

Data as of Apr 1, 2026CSV

BEC losses account for only the direct financial fraud. When factoring in ransomware staging — attackers using compromised M365 accounts to move laterally into on-premises infrastructure — and data exfiltration costs, the exposure per enterprise compromise rises substantially. The FBI's 2025 report recorded $20.9 billion in total cybercrime losses, with phishing as the most frequently reported complaint category at over 193,000 complaints [15].

The Disclosure Timing Question

The FBI's decision to publish a public service announcement about Kali365 while the platform remains operational raises a question that recurs in cybercrime enforcement: does warning the public tip off the operators?

Federal law enforcement has historically favored building cases quietly before executing takedowns. The LabHost operation — coordinated by Europol across 19 countries — resulted in 70 searches and 37 arrests in April 2024, including the platform's lead developer, Zak Coyne, who was sentenced to 8.5 years in a Manchester court in April 2025 [6][7]. That operation ran for a year before the public learned about it.

The Kali365 PSA represents a different calculus. The FBI issued the warning approximately six weeks after the platform's first observed campaigns, before any arrests have been announced [1]. The SEC's cybersecurity disclosure rules — which require public companies to report material incidents within four business days — have compressed the timeline for when breach information becomes public regardless of law enforcement preferences [16]. The FBI may have concluded that with security firms already publishing technical analyses of Kali365, operational secrecy was no longer viable.

The DOJ's own guidance acknowledges this tension. Attorney General disclosure delay orders can extend the reporting window up to 120 days in cases involving national security, but PhaaS investigations rarely meet that threshold [16]. The practical effect is that the FBI's public warning serves a defensive function — alerting potential victims — even if it also alerts operators to investigative interest.

Prosecution Track Record and Jurisdictional Limits

The LabHost case offers the most direct precedent. Coyne's 8.5-year sentence was the longest handed down for a PhaaS operator to date, and U.K. prosecutors noted that LabHost had facilitated phishing against more than 200 legitimate organizations through 42,000 domains [6][7]. The FBI subsequently released the full list of those domains to help organizations assess their exposure [7].

But LabHost's operators were based in the United Kingdom, a jurisdiction with strong extradition arrangements and a cooperative National Crime Agency. Many PhaaS platforms operate from jurisdictions with no extradition treaty with the United States, making arrest and prosecution considerably more difficult [6]. The FBI's PSA for Kali365 does not identify where the platform's operators are based — a detail that may itself signal the complexity of the investigative picture [1].

Since 2021, international law enforcement has taken down or disrupted several PhaaS platforms, including LabHost, BulletProofLink, and 16shop. The pattern has been consistent: disruption of the platform, arrest of operators who can be reached, and release of domain lists and indicators of compromise for defensive purposes [6]. Whether this deters future operators is an open question — the rapid emergence of EvilTokens and Kali365 within months of each other suggests the market rebuilds quickly.

Microsoft's Role and Responsibility

The device code flow that Kali365 exploits is a Microsoft feature, implemented to the OAuth 2.0 specification [5]. Microsoft has not disabled it because it serves legitimate purposes for devices without browsers. The company's recommended mitigation is to use Conditional Access policies to block device code authentication flows for users and applications that do not require them [12].

This places the defensive burden on individual tenant administrators. Organizations using Microsoft 365 Business Basic or Business Standard — which do not include Microsoft Entra ID P1 — cannot create Conditional Access policies and must rely on security defaults, which do not block device code flows [11]. The result is a tiered security model where protection against known attack techniques requires a higher-priced license.

No enterprise customers or insurers have publicly filed litigation challenging Microsoft's authentication defaults in the context of device code phishing. However, the cyber insurance market has been tightening MFA requirements for policy renewals since 2023, and several insurers now specifically ask whether organizations have implemented phishing-resistant authentication — not just standard MFA [15]. The distinction between "MFA enabled" and "phishing-resistant MFA enforced" is becoming a material factor in underwriting decisions.

Microsoft's Threat Intelligence team first documented device code phishing campaigns targeting M365 in early 2025, attributed to a threat actor tracked as Storm-2372 [8]. The technique predates both EvilTokens and Kali365, but the PhaaS model has dramatically lowered the barrier to executing it.

What Organizations Should Do Now

The FBI's PSA recommends several immediate actions: revoke and rotate OAuth tokens for any accounts suspected of compromise, enable Conditional Access policies to restrict device code authentication, deploy phishing-resistant FIDO2 security keys or passkeys, and monitor sign-in logs for unusual device code authentication events [1].

For organizations running Microsoft 365 tenants, the most effective single action is creating a Conditional Access policy that blocks the device code authentication flow entirely for all users except those with a documented need [3][12]. This requires at minimum a Microsoft Entra ID P1 license.

For managed service providers, the risk is multiplied. A single compromised MSP account can provide access to dozens or hundreds of client tenants. The FBI specifically noted that MSPs should audit delegated access permissions and ensure that administrative accounts use phishing-resistant authentication [1].

The broader pattern is clear: the PhaaS market is accelerating, device code phishing has been fully commoditized, and traditional MFA — once considered a strong defense — is no longer sufficient against this class of attack. The question for organizations is not whether to adopt phishing-resistant authentication, but how quickly they can enforce it before the next $250 kit arrives on Telegram.