FBI Warns of Kali365 Attacking Microsoft 365 Users to Steal Logins and Bypass MFA

The FBI has issued a new cybersecurity warning about a rapidly emerging phishing-as-a-service (PhaaS) platform named Kali365, which is actively targeting Microsoft 365 users to steal access tokens and bypass multi-factor authentication (MFA).

Kali365 is being distributed primarily through Telegram channels, where threat actors can subscribe to the service and launch phishing campaigns with minimal technical knowledge.

Unlike traditional credential-harvesting attacks, Kali365 focuses on capturing OAuth tokens, enabling attackers to gain persistent access to Microsoft 365 accounts without requiring usernames, passwords, or MFA codes.

The platform includes several built-in features that lower the barrier to entry for attackers:

• AI-generated phishing email templates impersonating trusted services.
• Automated campaign deployment tools.
• Real-time dashboards to track victims.
• OAuth token capture mechanisms.

This combination enables even low-skilled attackers to execute sophisticated phishing campaigns at scale.

Kali365 PhaaS Targets Microsoft 365

The Kali365 attack leverages Microsoft’s legitimate device code authentication flow to trick users into authorizing malicious access.

• Lure: Victims receive phishing emails that appear to be from Microsoft or document-sharing platforms. These emails include a device code and instructions.
• Authorization: The victim is directed to a legitimate Microsoft verification page and asked to enter the provided code.
• Token Theft: By entering the code, the user unknowingly authorizes the attacker’s session, allowing them to capture OAuth access and refresh tokens.
• Persistence: Attackers can then access services like Outlook, Teams, and OneDrive without triggering MFA again.

This technique is particularly dangerous because it exploits legitimate authentication workflows, making detection more difficult.

Tracked under Alert Number I-052126-PSA and first observed in April 2026, the platform is gaining traction among cybercriminals due to its ease of use and advanced capabilities.

Once access is gained, attackers can:

• Read and exfiltrate emails.
• Access sensitive files stored in OneDrive.
• Monitor communications via Teams.
• Maintain long-term persistence using refresh tokens.

Because credentials are not directly stolen, traditional security alerts may not be triggered, thereby increasing dwell time.

Mitigation Recommendations

The FBI and CISA recommend several defensive measures to reduce exposure:

• Restrict or turn off device code flow authentication where possible.
• Implement conditional access policies to block unauthorized device code usage.
• Audit existing device code flow dependencies before applying restrictions.
• Block authentication transfer between devices.
• Maintain emergency access accounts to prevent lockouts.

Organizations should also monitor for unusual sign-ins and token usage patterns.

Victims of Kali365-related attacks are encouraged to report incidents to the FBI’s Internet Crime Complaint Center (IC3) at www.ic3.gov. Key information to include:

• Phishing email samples (headers and content).
• Suspicious login details (IP, time, location).
• Unauthorized devices or active sessions.

As phishing techniques continue to evolve, the Kali365 platform highlights a growing shift toward token-based attacks that bypass traditional defenses, reinforcing the need for stronger identity and access controls.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.