The Federal Bureau of Investigation (FBI) has issued a Public Service Announcement (PSA) warning the public about an emerging Phishing-as-a-Service (PhaaS) platform known as Kali365. First observed in April 2026, Kali365 has been primarily distributed through Telegram, enabling cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting user credentials.
According to the FBI warning, cyber threat actors can capture OAuth tokens via the Kali365 platform subscription and gain persistent access to targeted individuals' or entities' Microsoft 365 environments. The FBI stated, "Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities."
How the Kali365 Scam Works
As explained by the FBI, cyber attackers deploy the following tactics to lure victims through the Kali365 subscription:
- Lure: An attacker sends a phishing email impersonating trusted cloud productivity and document-sharing services. This email contains a device code with instructions to visit a legitimate Microsoft verification page and enter the code.
- Authorization: The targeted individuals or entities navigate to the real Microsoft page and paste in the device code, unknowingly authorizing the attacker's device to access their account.
- Token Theft: The attacker captures OAuth access and refresh tokens, granting them access to the targeted Microsoft 365 account.
- Persistence: The attacker can now access Microsoft 365 services such as Outlook, Teams, and OneDrive without needing a password or completing any additional MFA challenges.
Tips to Protect Yourself
The FBI has also shared a list of security tips to avoid falling for the Kali365 scam:
- Restrict device code flow to limit or block device authentication codes, which can help prevent or limit this style of attack.
- Create a conditional access policy to block device code flow for all users, with limited exceptions for required business processes.
- Audit existing device code flow usage to identify legitimate dependencies before creating a conditional access policy.
- Block authentication transfer policies to prevent users from transferring authentication from computers to mobile devices.
- If you cannot completely restrict device code flow usage, exclude emergency access accounts to prevent lockouts.
The FBI advised, "If you or someone you know has been impacted by the Kali365 Phishing kit, file a complaint with the Internet Crime Complaint Center (IC3) at www.ic3.gov. Be sure to include any available information, such as: any phishing emails (email header, body), suspicious logins (time, IP address, location), and any unauthorized devices or active sessions added to the account."
