🔴 FBI warning about a $250 phishing kit that defeats Microsoft 365 MFA completely

Kali365 is a phishing-as-a-service platform sold on Telegram for as little as $250 for 30 days. First seen last month, it’s already been used in hundreds of confirmed attacks across manufacturing, education, government, financial services, and healthcare. Every single victim was using MFA. Malwarebytes

The attack doesn’t steal passwords or intercept MFA codes. Instead it abuses Microsoft’s legitimate device code login flow… a real authentication feature designed for devices without keyboards, like smart TVs and printers.

The victim receives a convincing phishing email, is directed to a genuine Microsoft page, and enters a short device code. That single action hands the attacker a persistent OAuth token tied to the victim’s account. From that point, the attacker has ongoing access to Outlook, Teams, and OneDrive without ever needing to log in again… even if the victim changes their password.

The FBI’s IC3 published a formal advisory on May 21. The recommended mitigation: restrict or disable device code flow in your Microsoft 365 tenant unless it’s genuinely needed. For most SMB clients, it isn’t. Conditional Access policies blocking device code authentication are available in Entra ID. FBI IC3

🟡 The Secure Boot certificate deadline is now less than four weeks away (and you have to manually update Windows Server)

We featured this a few weeks ago when Patch Tuesday first included the certificate update. It’s worth a reminder today because the deadline hasn’t moved and many estates still haven’t applied it properly.

The original Secure Boot certificates, issued in 2011, expire on June 26. Devices that received the May or June Patch Tuesday updates are covered automatically. Devices that aren’t patched enter a degraded security state after June 26 and cannot receive future boot-level protections. 4sysops

Heads up: Windows Server does not apply this update automatically. Unlike desktop Windows, Server estates require manual deployment of the certificate rollout via Group Policy or WSUS.

🟢 The MSP 501 results are coming in June (which is coming on Monday)

The 2026 MSP 501 application window closed three weeks ago. As you read this, the results are being scored and verified, with winners set to be announced in June via a reveal webcast. All 501 winners will then be celebrated at the MSP 501 Awards Gala at MSP Summit in Orlando on September 30. MSP Summit

Now in its 19th year, the MSP 501 is the only industry ranking based on actual financial data (managed services revenue, recurring revenue percentage, year-on-year growth) rather than votes or nominations. If you applied this year, the wait is almost over. Hit reply and let us know, would you?

Right, we’re through another week. We’ll be back in your inbox on Monday morning when it will be JUNE. The year’s going so fast 🙁 Have a great weekend.