The FBI's Kali365 warning is really about the day MFA stopped being enough

That's the part worth understanding, because the surface coverage has mostly stopped at "FBI warns, no password needed, scary." The interesting question is how an attack walks past a control that's working exactly as designed.

The kit itself is the boring part of the story. Kali365 is Phishing-as-a-Service: a subscription product, around US$250 a month, sold through Telegram, bundling AI-generated lures, campaign templates, and a live dashboard for tracking targets. It's the same commoditisation we've watched happen to ransomware. The skill required to run a credential-harvesting campaign has dropped to roughly the skill required to run a Mailchimp campaign. That lowers the barrier and raises the volume, but it isn't the novel bit. The novel bit is the authentication flow it abuses.

How an attack walks past a control that's working

Microsoft supports something called device code flow. It exists for devices that can't easily show a login form — think a smart TV or a command-line tool — where you'd rather type a short code on your phone than a password on a remote. You start the sign-in on the constrained device, it gives you a code, you go to a genuine Microsoft page on a second device, enter the code, and authenticate normally. The token then flows back to the first device. It's a legitimate, useful mechanism. The problem is that nothing in it requires the two devices to belong to the same person.

So here is what Kali365 actually does. The attacker initiates a device code login against your Microsoft 365 tenant. Microsoft hands back a real code. The attacker drops that code into a phishing email dressed up as a document share and asks you to "verify" by entering it at microsoft.com. You do. The page is real. The address bar is right. The certificate is valid. You complete MFA because it's genuinely you signing in. And at the end of it, the token Microsoft issues flows back to the attacker's device, not yours. They now hold a live session that has already cleared MFA, because you cleared it for them. Huntress, which pulled the kit apart, clocked the gap between the victim entering the code and the attacker holding persistent access at as little as 42 seconds.

This is why it's so effective and so hard to teach people to spot. Every phishing red flag we've trained users on for a decade assumes a fake. Check the URL. Look at the sender. Hover the link. None of it helps here, because there's nothing fake to catch. The user is interacting with Microsoft's own infrastructure the entire time. The theft happens at the token layer, one level below where human attention operates. What's stolen isn't your password, which means rotating it does nothing, and it isn't a second factor you can re-challenge, because the session already counts as fully authenticated.

The theft happens at the token layer, one level below where human attention operates.

What the attacker actually walks away with

It helps to be precise about what gets stolen, because there are two kinds of token and they behave differently. The access token is the short-lived key — good for an hour or so of API calls before it expires. The refresh token is the one that matters: long-lived, and able to quietly mint fresh access tokens without anyone signing in again. Capture the refresh token and you have standing access that survives the access token expiring, survives the user closing their laptop, and survives a password reset, because none of those touch it. That's what "persistent" means here, and it's why the usual incident response — reset the password, re-challenge MFA — doesn't end the intrusion.

The disguise runs further down than the login page, too. Kali365 requests its tokens under Microsoft's own first-party Office application ID, the same identifier that rides along with millions of legitimate Office sign-ins every day. Huntress is blunt that this ID on its own is useless as an indicator, because your real users generate it constantly. The kit then converts the stolen token into an ordinary browser session cookie, so the activity that follows reads, in the logs, as if a real person is sitting at the keyboard. There's nothing fake at the login screen and very little that looks fake afterwards.

What follows is the part that should worry a business owner more than the mechanics. Once inside, the kit doesn't wait for a human operator to get around to you. Huntress found it uses AI to read the compromised mailbox, surface the wire-transfer, invoice and payroll threads, and draft contextual replies designed to redirect a payment — then deletes the MFA prompts, sign-in alerts and password-change notices from the victim's own inbox so nobody notices. Business email compromise used to be a patient, manual con. This productises it end to end.

MFA was never the finish line

The reframe for anyone running an SMB environment is straightforward and a little uncomfortable. MFA was never the finish line. It was one control, and we let it carry more weight in our heads than it was built to hold. Authentication is a chain, and the token issued at the end of that chain is now the thing worth stealing.

If you needed proof that the technique outlives any one product, the kit provided it. Within seconds of the FBI's notice going public, the Kali365 operators announced they were shutting down — and researchers found the shutdown was theatre, the same infrastructure and customer base resurfacing under the name Octopus. The brand is disposable. The device code flow it abused is still sitting in your tenant, switched on by default.

The fix is concrete and cheap

The good news is the specific fix is concrete and cheap. Almost no small business uses device code flow for anything, which means you can block it outright with a Conditional Access policy and lose nothing. That single change closes this exact attack — and it's the same control the FBI's own advisory recommends. Past that, the direction of travel is binding sessions to identity rather than relying on a one-time check: phishing-resistant MFA, token protection that ties a session to a compliant device, and Conditional Access that refuses a token presented from an unmanaged machine in another country.

Blocking device code flow closes this specific door, but prevention is never complete. New flows get abused, policies have gaps, and the token at the end of a legitimate login is now the asset attackers want. That's the argument for watching the identity layer itself. The signal isn't the login — that part is genuine. It's a refresh-token grant with no interactive sign-in, arriving from infrastructure the account has never used, which a human skimming sign-in logs won't catch but a baseline will. This isn't theoretical: the vendors running managed identity detection caught this same pattern across hundreds of tenants earlier this year and shut it down before most businesses noticed. Prevention and detection are different jobs, and identity now needs both.

Communicat configures the Conditional Access side and runs managed identity threat detection for businesses across Victoria, but the first move costs nothing and you can check it today: find out whether device code flow is enabled in your tenant, and if you can't think of a reason it should be, turn it off.