FBI Warns of Kali365 Phishing-as-a-Service Platform Targeting Microsoft 365 Users
The FBI has issued a cybersecurity alert about Kali365, a rapidly spreading phishing-as-a-service (PhaaS) platform that enables threat actors to steal OAuth access tokens and bypass multi-factor authentication (MFA) for Microsoft 365 accounts. First observed in April 2026, the platform is distributed via Telegram channels, allowing even low-skilled attackers to launch sophisticated phishing campaigns with minimal effort.
Unlike traditional credential theft, Kali365 exploits Microsoft’s legitimate device code authentication flow to trick users into authorizing malicious access. Attackers send phishing emails often impersonating Microsoft or document-sharing services containing a device code and instructions. When victims enter the code on a legitimate Microsoft verification page, they unknowingly grant attackers OAuth tokens, enabling persistent access to Outlook, Teams, OneDrive, and other services without triggering MFA again.
The platform’s built-in features lower the barrier for cybercriminals, including:
- AI-generated phishing email templates
- Automated campaign deployment tools
- Real-time victim tracking dashboards
- OAuth token capture mechanisms
Once compromised, attackers can exfiltrate emails, access sensitive files, monitor Teams communications, and maintain long-term persistence using refresh tokens. Because the attack does not directly steal credentials, traditional security alerts may fail to detect it, increasing dwell time.
The FBI and CISA recommend restricting device code flow authentication, implementing conditional access policies, and monitoring for unusual sign-in patterns. Organizations are advised to audit existing device code dependencies before applying restrictions and maintain emergency access accounts to prevent lockouts.
Victims are encouraged to report incidents to the FBI’s Internet Crime Complaint Center (IC3), providing details such as phishing email samples, suspicious login activity, and unauthorized devices. The rise of Kali365 underscores a growing shift toward token-based attacks that evade conventional defenses.
Source: https://cybersecuritynews.com/kali365-phaas-microsoft-365/
Microsoft Security cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security
"id": "MIC1779445479",
"linkid": "microsoft-security",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'type': 'Organizations'}],
'attack_vector': 'Phishing emails with device code authentication flow',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable '
'information, corporate '
'communications, sensitive documents)',
'type_of_data_compromised': 'OAuth access tokens, emails, '
'sensitive files, Teams '
'communications'},
'date_detected': '2026-04',
'description': 'The FBI has issued a cybersecurity alert about Kali365, a '
'rapidly spreading phishing-as-a-service (PhaaS) platform that '
'enables threat actors to steal OAuth access tokens and bypass '
'multi-factor authentication (MFA) for Microsoft 365 accounts. '
'The platform exploits Microsoft’s legitimate device code '
'authentication flow to trick users into authorizing malicious '
'access, granting attackers persistent access to Outlook, '
'Teams, OneDrive, and other services without triggering MFA '
'again.',
'impact': {'data_compromised': 'Emails, sensitive files, Teams communications',
'identity_theft_risk': 'High (OAuth token theft enabling account '
'takeover)',
'operational_impact': 'Long-term persistence via refresh tokens, '
'unauthorized access to services',
'systems_affected': 'Microsoft 365 (Outlook, Teams, OneDrive)'},
'initial_access_broker': {'backdoors_established': 'OAuth tokens for '
'persistent access',
'entry_point': 'Phishing emails with device code',
'high_value_targets': 'Microsoft 365 accounts '
'(Outlook, Teams, OneDrive)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The rise of Kali365 underscores a growing shift toward '
'token-based attacks that evade conventional defenses. '
'Traditional security alerts may fail to detect such '
'attacks, increasing dwell time.',
'post_incident_analysis': {'corrective_actions': 'Restricting device code '
'flow authentication, '
'implementing conditional '
'access policies, auditing '
'device code dependencies, '
'and enhancing monitoring '
'for unusual activity.',
'root_causes': 'Exploitation of Microsoft’s '
'legitimate device code '
'authentication flow, lack of '
'monitoring for unusual sign-in '
'patterns, and low barrier for '
'attackers using Kali365 PhaaS '
'platform.'},
'recommendations': 'Restrict device code flow authentication, implement '
'conditional access policies, monitor for unusual sign-in '
'patterns, audit existing device code dependencies, and '
'maintain emergency access accounts.',
'references': [{'source': 'FBI Cybersecurity Alert'}],
'response': {'containment_measures': 'Restricting device code flow '
'authentication, implementing '
'conditional access policies, monitoring '
'unusual sign-in patterns',
'enhanced_monitoring': 'Monitoring for unusual sign-in patterns',
'law_enforcement_notified': 'FBI and CISA',
'remediation_measures': 'Auditing existing device code '
'dependencies, maintaining emergency '
'access accounts'},
'stakeholder_advisories': 'FBI and CISA recommend organizations take '
'preventive measures and report incidents to the '
'FBI’s Internet Crime Complaint Center (IC3).',
'threat_actor': 'Low-skilled attackers using Kali365 PhaaS platform',
'title': 'FBI Warns of Kali365 Phishing-as-a-Service Platform Targeting '
'Microsoft 365 Users',
'type': 'Phishing',
'vulnerability_exploited': 'Microsoft’s legitimate device code authentication '
'flow'}