The FBI has issued a fresh warning about a growing cybercrime service known as Kali365, a new Phishing-as-a-Service (PhaaS) platform that enables attackers to hijack Microsoft 365 accounts without stealing passwords directly. According to the FBI, the Kali365 phishing kit allows even low-skilled cybercriminals to bypass multi-factor authentication (MFA) protections by abusing Microsoft’s legitimate device authentication workflow.
The platform, which surfaced in April 2026, is being distributed primarily through Telegram channels and is already being linked to hundreds of phishing campaigns targeting organizations and individuals worldwide.
Instead of collecting usernames and passwords, attackers steal OAuth access tokens that provide long-term access to Microsoft 365 environments, including Outlook, Teams, and OneDrive.
How the Kali365 Phishing Kit Works
The FBI explained that the platform relies on a deceptive but technically simple attack chain designed to exploit user trust.
The process typically begins with a phishing email impersonating trusted productivity or document-sharing services. The email contains a device authentication code and instructions asking the victim to visit a legitimate Microsoft verification page.
Because the webpage itself is genuine, many users assume the request is safe.
Once the targeted user enters the provided code, they unknowingly authorize the attacker’s device to access their Microsoft 365 account. The attacker then captures OAuth access and refresh tokens, enabling persistent access without requiring the victim’s password or additional MFA verification.
This technique is particularly dangerous because it does not rely on traditional credential theft. Instead, it abuses Microsoft’s authentication framework to gain legitimate session access.
The FBI noted that after successful token capture, attackers can continue accessing services such as Outlook email accounts, Teams communications, and OneDrive files without triggering additional login prompts.
Why OAuth Token Theft Is Becoming a Growing Threat
Security researchers say OAuth token theft is becoming increasingly popular among cybercriminals because it allows attackers to bypass many traditional security controls.
Unlike passwords, OAuth tokens are designed to maintain authenticated sessions across services. If stolen, they can provide attackers with ongoing access until revoked or expired.
The FBI warned that Kali365 significantly lowers the barrier to entry for cybercrime operations by offering built-in phishing templates, AI-generated phishing lures, automated campaign tools, and real-time dashboards that track victims and stolen tokens.
This means attackers no longer need advanced technical expertise to launch phishing campaigns against businesses using Microsoft 365 environments.
The platform’s availability on Telegram also makes it easier for threat actors to distribute and monetize phishing infrastructure at scale.
FBI Shares Protection Measures Against Kali365 Attacks
To reduce exposure to these attacks, the FBI advised organizations to restrict or block device code authentication flows wherever possible.
One of the key recommendations includes implementing conditional access policies that block device code flow for most users while allowing limited exceptions for essential business operations.
Organizations are also encouraged to audit existing device authentication workflows to identify legitimate dependencies before enforcing restrictions.
The FBI further recommended blocking authentication transfer policies that allow authentication to move between computers and mobile devices, as these workflows can potentially be abused during phishing attacks.
For organizations unable to fully disable device code flow, the agency suggested excluding emergency access accounts from restrictions to avoid accidental lockouts during critical situations.
FBI Urges Victims to Report Incidents
The FBI is urging anyone impacted by the Kali365 phishing campaign to report incidents through the Internet Crime Complaint Center (IC3).
Victims are encouraged to preserve and submit phishing emails, suspicious login activity, unauthorized devices, IP addresses, and active session information that could assist investigators.
The agency also pointed users toward phishing mitigation guidance published by the Cybersecurity and Infrastructure Security Agency, which outlines defensive measures organizations can take to reduce phishing risks.
The rise of Kali365 Phishing-as-a-Service highlights how cybercriminals are increasingly shifting toward token-based attacks that exploit trusted authentication systems instead of relying solely on password theft.
As phishing platforms continue evolving, security experts warn that organizations using cloud productivity platforms like Microsoft 365 will need stronger identity protection measures and closer monitoring of authentication activity to reduce the risk of account compromise.
