Most small businesses treat multi-factor authentication as the finish line for security. A phishing kit now making the rounds, called Kali365, is built specifically to get past it.
What is happening
Security researchers and an FBI advisory (published May 21, 2026) describe Kali365 as a "phishing-as-a-service" kit: a ready-made tool, sold to criminals, that lets even unskilled attackers hijack Microsoft 365 accounts. The important twist is that it does not steal your password. It steals the access tokens Microsoft uses to remember that you have already signed in, which means your second factor never comes into play.
How the trick works
It is dangerous because nothing looks fake. You receive a message, often posing as a cloud service, asking you to enter a short "device code" on a real Microsoft sign-in page. You go through the normal Microsoft screens and approve, believing it is routine. Behind the scenes, that approval hands the attacker the tokens that grant ongoing access to your email, files, and Teams, with no password or MFA prompt required after that. Because the page really is Microsoft's, the usual "check the URL" advice does not catch it.
Why it matters for you
Almost every small business runs on Microsoft 365, and most owners assume MFA closes the door. This shows MFA is essential but not a force field. And because the kit is rented and automated, it is pointed at everyone, not just large companies. The reporting notes the same technique works against individual users too, so anyone with Outlook, OneDrive, or a Microsoft 365 subscription is in scope.