How Kali365 Works
The FBI has issued a warning about a new phishing-as-a-service platform called Kali365 that is specifically designed to compromise Microsoft 365 accounts. Unlike conventional phishing attacks that steal passwords, Kali365 focuses on capturing OAuth access tokens. This approach allows attackers to bypass multi-factor authentication entirely by leveraging Microsoft’s legitimate device code authentication flow.
Attackers distribute phishing emails that appear to come from Microsoft or document sharing services. These emails contain a device code and instructions for the victim. When the user enters this code on a legitimate Microsoft verification page, they unknowingly authorize the attacker’s session. This grants the attacker access to Outlook, Teams, and OneDrive without requiring any further authentication.
Platform Features and Impact
Kali365 is being distributed through Telegram channels and includes features that make sophisticated attacks accessible to low skill criminals. The platform provides AI generated phishing templates, automated campaign deployment tools, real time tracking dashboards, and built in OAuth token capture mechanisms. The FBI first observed the platform in April 2026 and notes it is rapidly gaining traction among cybercriminals.
Once attackers gain access through token theft, they can read emails, exfiltrate files, and maintain persistent access to the compromised account. The danger of this technique lies in its exploitation of legitimate Microsoft authentication workflows, which makes detection significantly more challenging for security teams and victims alike.
Source: Cyber Security News
