On May 21, the FBI warned the country about a phishing kit that hijacks Microsoft 365 accounts without ever stealing a password. WatchPoint had already shut that door for every client it protects, five weeks earlier.
TL;DR
On Thursday, May 21, 2026, the FBI's Internet Crime Complaint Center issued a public service announcement about a new criminal toolkit called Kali365. It hijacks Microsoft 365 accounts (Outlook, Teams, OneDrive, all of it) without stealing a single password and without tripping multifactor authentication. By the time it reached national coverage, it was already being rented to anyone with a Telegram account and a couple hundred dollars.
WatchPoint clients were protected from its primary attack method on April 16, more than a month before that warning. Here's what the attack is, why it's so dangerous, and what WatchPoint did about it.
You've used device authentication without knowing its name. When you sign a smart TV into a streaming app by typing a short code at a website on your phone, that's device authentication. Microsoft built the same capability into Microsoft 365. It's called device code flow, part of an open standard called OAuth 2.0, and it exists for hardware that can't easily show a login screen or accept a typed password: conference room systems, printers, IoT devices, and the command line tools that IT teams use.
The flow is simple by design. A device asks Microsoft for a short code. A person goes to the real Microsoft page, microsoft.com/devicelogin, enters the code, signs in normally, and Microsoft trusts that device from then on. Nothing about this is malicious. It's a convenience feature working exactly as intended.
That convenience is exactly what attackers learned to take advantage of.
Kali365 is what the industry calls phishing as a service. The developers build and maintain the toolkit while less skilled criminals rent access and run the actual attacks. Security firm Arctic Wolf documented it in April 2026. It rents for roughly $250 a month or $2,000 a year, paid in untraceable cryptocurrency, and ships with lure emails written by AI, prebuilt campaign templates, and a live dashboard for tracking victims in real time.
The attack itself is deceptively clean. The criminal starts the device code flow and emails you the code, disguised as a shared document or an IT notification. You enter it at the legitimate Microsoft page, because the page is real. You sign in. You even pass MFA. But the device you just authorized isn't yours. It belongs to the attacker. The moment you finish, Microsoft hands over the keys.
Here's what makes this attack so dangerous: there's no fake website to spot, no malicious link to block, no malware to catch. The attacker walks in on a genuine Microsoft login, behind a successful MFA prompt. Everything your traditional defenses are trained to flag simply isn't there.
This is the most important point, and the most misunderstood. Kali365 doesn't steal your password. It steals your session token, the digital credential Microsoft issues after you've already logged in and cleared MFA.
Microsoft issues two tokens. One expires quickly. The other, the refresh token, can keep a session alive for weeks. Kali365 grabs both. A stolen refresh token is a master key to your mailbox and files that needs no password and no MFA prompt, and it keeps working until someone explicitly revokes it. Here's the detail that catches most organizations off guard: resetting the victim's password does not lock the attacker out. The session is already theirs.
That's why the FBI framed Kali365 as a problem of stolen sessions, not stolen passwords, and why the standard advice (“turn on MFA, change your password”) isn't enough on its own. The attack lives a layer above all of that.
A hijacked mailbox is rarely the goal. It's the setup. A quietly compromised email account is the launchpad for the most expensive cybercrime in America right now: business email compromise, the wire fraud that cost U.S. organizations more than $3 billion in 2025 according to the FBI's own figures.
Device code phishing didn't appear out of nowhere with Kali365. The technique had been climbing through late 2025 and early 2026. Researchers at Proofpoint and Huntress were tracking campaigns that abused the device code flow months before Kali365 turned it into a product. WatchPoint saw the same signals.
So on April 16, 2026, WatchPoint's Microsoft 365 team deployed a single, decisive control across every client tenant under management: a Conditional Access policy in Microsoft Entra that blocks the device code authentication flow outright.
In plain terms, if anyone tries to sign in using the device code method, whether it is you, an employee, or an attacker holding a phished code, Microsoft refuses before a token is ever created. The exact mechanism Kali365 depends on simply isn't available. The policy covers all users. Emergency access accounts are preserved so a policy change can never lock a client out, and the policy was confirmed live and enforcing, not just logging.
| Microsoft Entra · Conditional Access Policy | |
| Policy state | Enabled and enforcing |
| Assigned users | All users (emergency access accounts excluded) |
| Target resources | All cloud resources |
| Condition | Authentication flows → Device code flow |
| Grant control | BLOCK ACCESS |
| Effective date | April 16, 2026 |
| The Timeline | |
| Late 2025 to early 2026 | Device code phishing climbs sharply, and researchers raise the alarm about the technique. |
| April 16, 2026 | WatchPoint blocks the device code flow for every managed client tenant. [WatchPoint] |
| April 2026 | Kali365 first surfaces, sold quietly through Telegram cybercrime channels. |
| May 21, 2026 | The FBI issues its national public service announcement warning organizations about Kali365. |
| Late May 2026 | Kali365 reaches widespread media coverage and broad criminal adoption. |
Those five weeks weren't luck. They are the difference between a security provider that reacts to headlines and one that closes doors before they are forced open.
SECURITY POSTURE GATEWAY
No WatchPoint client has to take any of this on faith. Every client gets a Security Posture Gateway (SPG), a live dashboard showing which protections are active and working in their environment. Device Code Flow is a line item on it. Green means your tenant is provably blocking the exact technique the FBI warned about, and it has been since April 16. No slideware, no “trust us,” just verifiable proof on demand.
● Status: Device Code Flow active since April 16, 2026
FULL DISCLOSURE
One control closes the main door. It does not close every door.
Better to give the full truth than oversell a single setting. Blocking the device code flow shuts down Kali365's primary attack path completely. But Kali365 has a second, sneakier mode that works differently. It sits invisibly between you and Microsoft, lets you log in normally, and steals the session cookie afterward. That is a different mechanism, and it needs a different answer.
So, the device code block is one layer of several. For the second mode, WatchPoint layers on token protection, Continuous Access Evaluation that can revoke a stolen session the moment risk appears, shorter token lifetimes, and credentials that resist phishing, such as passkeys. Layered security is not a buzzword here. It is the only thing that reliably holds up against an attacker who keeps changing the angle of attack.
If your organization runs on Microsoft 365, and nearly every business does, the question isn't whether attackers are coming for your accounts. It's whether the door is locked before they arrive. For WatchPoint clients, on this particular attack, it was locked on April 16.
On August 4, 2025, SonicWall issued a critical security advisory regarding active exploitation attempts against its Gen-7 firewalls' SSL-VPN services. Threat actors are leveraging a possible zero-day vulnerability to bypass authentication and deliver ransomware payloads, even on fully patched systems.
SonicWall Advisory: Gen-7 SonicWall Firewalls SSLVPN Recent Threat Activity
This vulnerability is being actively exploited by ransomware operators, including the notorious Akira ransomware group, as detailed by Huntress Labs and covered by TechCrunch. Attackers are targeting SonicWall’s SSL-VPN features to gain initial access, bypass Multi-Factor Authentication (MFA), and move laterally within networks—impacting businesses of all sizes, including small and mid-sized organizations.
What WatchPoint Has Done Immediately
In response, WatchPoint has proactively disabled VPN access on all SonicWall appliances to prevent potential exploitation. We audited configurations across all client networks to ensure:
Are You at Risk? Here's How to Know
If your organization:
You are vulnerable to this exploitation chain—even if MFA is enabled.
➡️ Contact WatchPoint immediately to schedule a Zero-Day Vulnerability Assessment. We will help you verify exposure, implement immediate containment, and advise on secure remote access alternatives.
Recommended Actions for All SonicWall Users
Even if you're not a WatchPoint client, we strongly recommend the following actions:
1. Disable SSL-VPN Services Temporarily
2. Restrict VPN Access by IP Address
3. Audit All User Accounts
NOTE: Some reports suggest even with MFA enforced the activity under investigation bypasses MFA
4. Enable SonicWall Security Services
5. Increase Log Monitoring and Alerts
6. Consult with a Security Partner Engage a trusted MSP like WatchPoint for ongoing monitoring, incident response readiness, and compliance-driven risk management.
Why This Matters for SMBs
Ransomware actors increasingly target professional services, healthcare, financial institutions, and other SMBs in regulated sectors. A successful exploit could lead to:
📞 Need Help? We're Standing By 319-535-5350
If you’re unsure whether your SonicWall deployment is at risk or need immediate help with containment and remediation contact WatchPoint today.
We provide rapid assessments, mitigation support, and co-managed IT security services designed to protect small and mid-sized businesses from evolving cyber threats.
References:
In today’s threat landscape, law firms can’t afford to overlook endpoint security basics, and one of the most overlooked vulnerabilities is local administrator access. While it may seem like a small technical detail, allowing staff to operate with elevated privileges is one of the biggest security risks a firm can take.
Let’s break down why removing local admin rights isn’t just an IT best practice, it’s a critical move to protect your clients, reputation, and compliance posture.
Local administrator rights give a user unrestricted control over their workstation: installing software, changing security settings and modifying system files. It’s essentially handing over the keys to the kingdom.
In a law firm, where attorneys and staff routinely access highly confidential client data, this level of access presents a clear and present danger.
These breaches underscore a simple truth: when everyone is an admin, no one is secure.
✅ Reduces Attack Surface
✅ Prevents Unauthorized Software
✅ Improves Patch and Software Management
✅ Strengthens Compliance with ABA Standards
✅ Enhances Endpoint Monitoring and Control
Giving users local admin rights is like leaving the keys hanging in your front door and assuming no one will try to open it.
For law firms, the stakes are too high. Reputation, compliance, and client trust all hang in the balance. Removing local admin rights is one of the easiest, most effective ways to protect your business and keep growth on track.
Would you ever hang a bright neon sign outside your business reading, "Hey burglars, doors unlocked, come on in!"? Of course not. Yet astonishingly, many businesses do just that digitally, leaving their firewall ports wide open and welcoming cybercriminals with open arms. Recently, even the FBI stepped in to issue a stern (and somewhat embarrassing) Open Port Warning about the dangers of leaving these digital doors unlocked. And while cybersecurity is serious business, sometimes the simplicity of the problem borders on comedy, until it’s not funny at all.
In the recent cybersecurity advisory (Alert Code: AA25-050A), the FBI and CISA (Cybersecurity and Infrastructure Security Agency) issues a joint advisory sounding the alarm about cybercriminals actively targeting networks through open firewall ports. Think of it like leaving your office windows wide open overnight, one forgotten latch and intruders can waltz right in. The FBI is urging businesses to close these vulnerabilities immediately, before your open ports become a hacker's personal playground filled with data breaches, ransomware, and other digital nightmares.
Let's be honest: leaving your ports open is like tossing your car keys into the front seat and walking away. Sure, your car might be there in the morning, but the odds aren't exactly in your favor. The puzzling thing? Checking for open ports is straightforward, yet countless businesses overlook it, creating massive and entirely unnecessary risks. The potential cost isn't just financial; imagine explaining to your clients that your "secure" network was basically a revolving door for hackers. Ouch.
Like many other cyber security topics, business leaders choose to ignore them even with plenty of coverage on the subject. Here are just a few of the articles written about this particular warning.
Forbes: "FBI Says Backup Now—Advisory Warns Of Dangerous Ongoing Attacks"
This article highlights the FBI's warning about the ongoing and dangerous nature of Ghost ransomware attacks, emphasizing the importance of immediate data backups.
WaterISAC: "(TLP:CLEAR) CISA, FBI, and MS-ISAC Release Advisory on Ghost (Cring) Ransomware"
This piece provides an overview of the joint advisory, detailing the indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs) associated with Ghost ransomware.
Security Boulevard: "[CISA AA25-050A] #StopRansomware: Ghost (Cring) Ransomware"
This article discusses the CISA advisory on Ghost ransomware and introduces an attack graph released by AttackIQ to help organizations validate their security controls against this threat.
SafeBreach: "SafeBreach Coverage for US CERT AA25-050A [Ghost (Cring) Ransomware]"
This blog post outlines how SafeBreach has added coverage against attacks by Ghost threat actors targeting organizations across more than 70 countries.
NeptuneWorx: "Summary: Understanding CISA's Cybersecurity Advisory AA25-050A"
This summary provides insights into the CISA advisory, emphasizing the importance of proactive cybersecurity measures and understanding the threat landscape.
We don’t have the hard statistics yet for 2025, but over the past several weeks at WatchPoint we have been getting more requests than usual for help with ransomware attacks. These were non-WatchPoint clients of course and generally referrals from existing clients, but of the last three, two were caused by open ports. There was a dip in ransomware attacks that coincided with the start of the war in Ukraine, but now we appear to be back in the throughs of a full-on assault from cyber attackers.
Here’s the good news—checking your ports isn't complicated or time-consuming. In fact, it's as quick and painless as checking your smartphone’s battery. With a few clicks, we can run a port scan and immediately see if you are unintentionally offering hackers a warm welcome to your network. Given how simple this task is, there’s really no excuse not to do it unless you enjoy making life easy for cybercriminals.
At WatchPoint IT, our mission is to make cybersecurity feel less like rocket science and more like routine maintenance—easy, stress-free, and efficient. Our free port scanning service quickly identifies which of your digital doors are wide open. Additionally, we won’t leave you hanging. We provide continuous monitoring and alerts to immediately flag any new vulnerabilities, keeping your digital assets safe 24/7.
Here's What You'll Receive from Our Free Scan:
Cybersecurity can seem daunting, packed with acronyms, jargon, and endless threats. But when it comes to securing your network, think of it as simply locking your front door. With the FBI’s urgent warning fresh in our minds, there’s no better time than now to act.
Don’t wait until you’re already compromised. Connect with WatchPoint IT today, run your free port scan, and let’s lock those digital doors tighter than Fort Knox. Because in cybersecurity, being proactive isn't just smart, it's essential.
Stay smart, stay secure!
Ready to lock things down? Visit WatchPoint IT today and let us know you would like a free port scan. Your future self will thank you.
