FBI Warns: 'Kali365' Phishing Service Targets Microsoft 365 Accounts

FBI Warns: 'Kali365' Phishing Service Targets Microsoft 365 Accounts

Briefly

"The FBI warned that Kali365, a phishing-as-a-service platform first seen in April 2026, can help attackers hijack Microsoft 365 accounts by abusing Microsoft's device code authentication flow. Instead of stealing passwords or MFA codes, attackers capture OAuth tokens that can provide access to services such as Outlook, Teams, and OneDrive. For IT teams, the danger is that the attack can look legitimate at the moment users are most likely to trust it."

"The FBI said in a May 21 public service announcement that Kali365 has been primarily distributed through Telegram and is designed to help cyber threat actors obtain Microsoft 365 access tokens while bypassing MFA protections. "Kali365 lowers the barrier of entry," the FBI said, citing AI-generated phishing lures, automated campaign templates, real-time victim tracking dashboards, and OAuth token capture capabilities."

"The attack starts with a phishing email that impersonates a trusted cloud productivity or document-sharing service. The message includes a device code and instructions to visit Microsoft's legitimate verification page. Once the target enters the code, they unknowingly authorize the attacker's device. The attacker then captures OAuth access and refresh tokens, which can allow persistent access to the victim's Microsoft 365 account."

"The FBI said attackers can access Microsoft 365 services "without needing a password or completing any additional MFA challenges." Device code authentication is a legitimate Microsoft workflow used by devices with limited input options, such as smart TVs, printers, conference room systems, streami"