In its latest alert, the Federal Bureau of Investigation (FBI) is warning about a new Phishing-as-a-Service (PaaS) platform called Kali365 that specifically targets Microsoft 365 accounts. The phishing platform was first detected in April 2026 and is offered on Telegram as a monthly subscription, allowing entry-level cybercriminals and crooks to get ready-made hacking tools for a fee.
The FBI’s alert came just days after Hackread.com reported on a similar Telegram kit called EvilTokens that uses fake login pages and Outlook calendar invites to steal Microsoft 365 sessions. Now, the emergence of Kali365 shows that such services are gaining popularity among newbie hackers.
How Kali365 Attack Works
A notable aspect of Kali365 attacks is that hackers do not need the victim’s password, as they use device code phishing to hijack active account sessions.
The attack begins with a phishing email supposedly sent by a well-known cloud or document-sharing service, but actually contains a device code. It asks the recipient to visit a real Microsoft verification page and type that code, which gives the hacker’s device permission to access your account.
Kali365 then steals digital keys called OAuth access and refresh tokens- that’s highly sensitive data, as it keeps a user logged into apps, and if stolen, it lets the hackers quickly access Outlook, Teams, and OneDrive accounts.
Also, these keys help them skip multi-factor authentication (MFA) (an extra safety layer that asks for a fingerprint or text code) and stay logged in for a long time. It all leads to the final goal of corporate data theft and Business Email Compromise (BEC).
Although the FBI published its alert this week, cybersecurity firm Arctic Wolf reported on the threat in April 2026. According to the company’s threat research, some of the realistic subject lines observed in the lures included “SharePoint – Document Shared,” “OneDrive – File Shared,” “Microsoft 365 – Voicemail,” “DocuSign – Signature Required,” and “Adobe Acrobat Sign – Agreement.”
How to Stay Safe
In their alert, the FBI and CISA suggest organisations turn off or limit device code authentication flows, and make sure their IT teams check who uses these codes and set up strict conditional access policies.
However, they must keep emergency access accounts open so they don’t get locked out. Blocking authentication transfer policies also stops users from moving login rights from PCs to mobile phones.
