HomeTechnology

FBI Warns of Kali365: A New Phishing-as-a-Service Threat Exploiting Microsoft 365 Authentication

FBI Warns of Kali365: A New Phishing-as-a-Service Threat Exploiting Microsoft 365 Authentication

The FBI has issued a significant warning about a rising cybercrime service called Kali365, which represents a new wave of Phishing-as-a-Service (PhaaS). This platform enables attackers to compromise Microsoft 365 accounts without traditional password theft. By utilizing Kali365, even less experienced cybercriminals can circumvent multi-factor authentication (MFA) protections, exploiting Microsoft’s legitimate device authentication processes.

Launched in April 2026, Kali365 has been disseminated primarily through Telegram channels and is already linked to various phishing campaigns targeting organizations and individuals worldwide. Unlike conventional phishing methods that focus on stealing usernames and passwords, attackers using Kali365 aim to capture OAuth access tokens. These tokens provide long-term access to Microsoft 365 environments, including Outlook, Teams, and OneDrive.

How the Kali365 Phishing Kit Works

The FBI has outlined the operational mechanics of the Kali365 platform, which employs a deceptively simple attack chain designed to exploit user trust. The attack typically begins with a phishing email that impersonates trusted productivity or document-sharing services. This email contains a device authentication code and instructs the recipient to visit a legitimate Microsoft verification page.

Since the webpage is genuine, many users mistakenly assume the request is safe. Once the targeted individual enters the provided code, they inadvertently authorize the attacker’s device to access their Microsoft 365 account. The attacker then captures OAuth access and refresh tokens, enabling persistent access without needing the victim’s password or additional MFA verification.

This method is particularly dangerous as it bypasses traditional credential theft. Instead, it exploits Microsoft’s authentication framework to gain legitimate session access. The FBI has noted that once token capture is successful, attackers can continue accessing services like Outlook, Teams, and OneDrive without triggering additional login prompts.

The Growing Threat of OAuth Token Theft

Security experts have observed a rising trend in OAuth token theft among cybercriminals, as it allows them to bypass many conventional security controls. Unlike passwords, OAuth tokens are designed to maintain authenticated sessions across multiple services. If compromised, these tokens can provide attackers with ongoing access until they are revoked or expire.

The FBI has highlighted that Kali365 significantly lowers the barrier to entry for cybercrime operations. It offers built-in phishing templates, AI-generated phishing lures, automated campaign tools, and real-time dashboards that track victims and stolen tokens. This democratization of phishing capabilities means that attackers no longer require advanced technical expertise to launch phishing campaigns against organizations utilizing Microsoft 365.

Furthermore, the platform’s availability on Telegram facilitates the distribution and monetization of phishing infrastructure at scale, making it increasingly accessible to threat actors.

Recommended Protection Measures Against Kali365 Attacks

In response to the escalating threat posed by Kali365, the FBI has advised organizations to restrict or block device code authentication flows wherever feasible. Key recommendations include implementing conditional access policies that block device code flow for most users while allowing limited exceptions for essential business operations.

Organizations are also encouraged to audit existing device authentication workflows to identify legitimate dependencies before enforcing restrictions. Additionally, the FBI recommends blocking authentication transfer policies that permit authentication to move between computers and mobile devices, as these workflows can be exploited during phishing attacks.

For organizations unable to completely disable device code flow, the agency suggests excluding emergency access accounts from restrictions to prevent accidental lockouts during critical situations.

Reporting Incidents and Mitigation Guidance

The FBI urges anyone affected by the Kali365 phishing campaign to report incidents through the Internet Crime Complaint Center (IC3). Victims are encouraged to preserve and submit phishing emails, suspicious login activity, unauthorized devices, IP addresses, and active session information that could assist investigators.

The agency has also directed users to phishing mitigation guidance published by the Cybersecurity and Infrastructure Security Agency (CISA), which outlines defensive measures organizations can adopt to reduce phishing risks.

The emergence of Kali365 Phishing-as-a-Service underscores a significant shift in cybercriminal tactics, moving towards token-based attacks that exploit trusted authentication systems rather than relying solely on password theft. As phishing platforms continue to evolve, security experts caution that organizations utilizing cloud productivity platforms like Microsoft 365 must implement stronger identity protection measures and closely monitor authentication activity to mitigate the risk of account compromise.

As reported by cyberwarriorsmiddleeast.com.

Explore the latest digital editions of FAME Delivered in the Magazine section: https://famedelivered.com/magazine/

Published on 2026-05-26 01:02:00 • By FAME Delivered News Desk

FAME Delivered News Desk

FBI Warns of Kali365: A New Phishing-as-a-Service Threat Exploiting Microsoft 365 Authentication

FBI Warns of Kali365: A New Phishing-as-a-Service Threat Exploiting Microsoft 365 Authentication

The FBI has issued a significant warning about a rising cybercrime service called Kali365, which represents a new wave of Phishing-as-a-Service (PhaaS). This platform enables attackers to compromise Microsoft 365 accounts without traditional password theft. By utilizing Kali365, even less experienced cybercriminals can circumvent multi-factor authentication (MFA) protections, exploiting Microsoft’s legitimate device authentication processes.

Launched in April 2026, Kali365 has been disseminated primarily through Telegram channels and is already linked to various phishing campaigns targeting organizations and individuals worldwide. Unlike conventional phishing methods that focus on stealing usernames and passwords, attackers using Kali365 aim to capture OAuth access tokens. These tokens provide long-term access to Microsoft 365 environments, including Outlook, Teams, and OneDrive.

How the Kali365 Phishing Kit Works

The FBI has outlined the operational mechanics of the Kali365 platform, which employs a deceptively simple attack chain designed to exploit user trust. The attack typically begins with a phishing email that impersonates trusted productivity or document-sharing services. This email contains a device authentication code and instructs the recipient to visit a legitimate Microsoft verification page.

Since the webpage is genuine, many users mistakenly assume the request is safe. Once the targeted individual enters the provided code, they inadvertently authorize the attacker’s device to access their Microsoft 365 account. The attacker then captures OAuth access and refresh tokens, enabling persistent access without needing the victim’s password or additional MFA verification.

This method is particularly dangerous as it bypasses traditional credential theft. Instead, it exploits Microsoft’s authentication framework to gain legitimate session access. The FBI has noted that once token capture is successful, attackers can continue accessing services like Outlook, Teams, and OneDrive without triggering additional login prompts.

The Growing Threat of OAuth Token Theft

Security experts have observed a rising trend in OAuth token theft among cybercriminals, as it allows them to bypass many conventional security controls. Unlike passwords, OAuth tokens are designed to maintain authenticated sessions across multiple services. If compromised, these tokens can provide attackers with ongoing access until they are revoked or expire.

The FBI has highlighted that Kali365 significantly lowers the barrier to entry for cybercrime operations. It offers built-in phishing templates, AI-generated phishing lures, automated campaign tools, and real-time dashboards that track victims and stolen tokens. This democratization of phishing capabilities means that attackers no longer require advanced technical expertise to launch phishing campaigns against organizations utilizing Microsoft 365.

Furthermore, the platform’s availability on Telegram facilitates the distribution and monetization of phishing infrastructure at scale, making it increasingly accessible to threat actors.

Recommended Protection Measures Against Kali365 Attacks

In response to the escalating threat posed by Kali365, the FBI has advised organizations to restrict or block device code authentication flows wherever feasible. Key recommendations include implementing conditional access policies that block device code flow for most users while allowing limited exceptions for essential business operations.

Organizations are also encouraged to audit existing device authentication workflows to identify legitimate dependencies before enforcing restrictions. Additionally, the FBI recommends blocking authentication transfer policies that permit authentication to move between computers and mobile devices, as these workflows can be exploited during phishing attacks.

For organizations unable to completely disable device code flow, the agency suggests excluding emergency access accounts from restrictions to prevent accidental lockouts during critical situations.

Reporting Incidents and Mitigation Guidance

The FBI urges anyone affected by the Kali365 phishing campaign to report incidents through the Internet Crime Complaint Center (IC3). Victims are encouraged to preserve and submit phishing emails, suspicious login activity, unauthorized devices, IP addresses, and active session information that could assist investigators.

The agency has also directed users to phishing mitigation guidance published by the Cybersecurity and Infrastructure Security Agency (CISA), which outlines defensive measures organizations can adopt to reduce phishing risks.

The emergence of Kali365 Phishing-as-a-Service underscores a significant shift in cybercriminal tactics, moving towards token-based attacks that exploit trusted authentication systems rather than relying solely on password theft. As phishing platforms continue to evolve, security experts caution that organizations utilizing cloud productivity platforms like Microsoft 365 must implement stronger identity protection measures and closely monitor authentication activity to mitigate the risk of account compromise.

As reported by cyberwarriorsmiddleeast.com.

Explore the latest digital editions of FAME Delivered in the Magazine section: https://famedelivered.com/magazine/

Published on 2026-05-26 01:02:00 • By FAME Delivered News Desk

RELATED ARTICLES

Technology

Germany Strengthens Leadership at GITEX AI EUROPE 2026 with 60% Speaker Representation

FAME Delivered News Desk -
Germany Strengthens Leadership at GITEX AI EUROPE 2026 with 60% Speaker Representation Germany is poised to play a central role at the upcoming GITEX AI...
Technology

David Ellison Meets with James Gunn and Peter Safran, Producer Confirms: “He’s Pretty Open to What We’re Doing”

FAME Delivered News Desk -
David Ellison Meets with James Gunn and Peter Safran, Producer Confirms: “He’s Pretty Open to What We’re Doing” DC Studios co-chairmen and co-CEOs James Gunn...
Technology

UAE Strengthens Digital Safety with Social Media Ban for Children Under 15

FAME Delivered News Desk -
UAE Strengthens Digital Safety with Social Media Ban for Children Under 15 Dubai has enacted a significant measure to enhance digital safety for minors, prohibiting...
Technology

City Struggles to Curb Illegal Online Sales of E-Scooters and E-Motos Following Fatal Queensboro Bridge Crashes

FAME Delivered News Desk -
City Struggles to Curb Illegal Online Sales of E-Scooters and E-Motos Following Fatal Queensboro Bridge Crashes City law enforcement officials have made strides in reducing...
Technology

Data Breaches Expose Personal Information: My Journey Tracing a Leaked Email Address to the Dark Web

FAME Delivered News Desk -
Data Breaches Expose Personal Information: My Journey Tracing a Leaked Email Address to the Dark Web The proliferation of sophisticated scams, particularly in the wake...

Latest Posts

Latest Posts

Don't Miss

Subscribe

To be updated with all the latest news, offers and special announcements.