The Federal Bureau of Investigation (FBI) has issued a critical alert regarding Kali365, a newly identified cybercrime platform distributed via Telegram. This sophisticated phishing toolkit is specifically designed to circumvent multi-factor authentication (MFA) protections in Microsoft 365 accounts, posing a significant threat to organizations worldwide.
Understanding Kali365: A Phishing-as-a-Service Platform
Kali365 operates as a “Phishing-as-a-Service” (PhaaS) platform, a model that significantly lowers the barrier to entry for cybercriminals. First detected in April 2026, the toolkit is actively distributed through Telegram channels, offering attackers ready-made tools rather than requiring them to build phishing infrastructure from scratch. Even individuals with limited technical expertise can leverage Kali365 to launch targeted campaigns against Microsoft 365 users. The platform reportedly includes features such as AI-generated phishing emails, pre-built templates, automated campaign management, real-time victim tracking, and systems designed to capture OAuth tokens.
How Kali365 Attacks Microsoft 365 Users
The attack begins with a deceptive phishing email, often appearing to originate from a trusted cloud service or document-sharing platform. Unlike traditional phishing attempts that direct users to fake login pages, Kali365 employs a more insidious method. The email prompts the user to enter a provided device code on a legitimate Microsoft login page. This approach makes the attack particularly difficult to detect, as victims interact with an authentic Microsoft interface, reducing immediate suspicion.
Once the user enters the code and completes the authentication process, they unknowingly authorize the attacker’s device. Kali365 then captures OAuth access and refresh tokens. These tokens grant the attacker access to the victim’s Microsoft 365 account, effectively bypassing the need for a password.
Bypassing Multi-Factor Authentication
Multi-factor authentication is a cornerstone of modern cybersecurity, designed to protect accounts even if passwords are compromised. However, Kali365 circumvents this protection by not directly stealing passwords. Instead, it relies on token-based authentication. By obtaining valid OAuth tokens, attackers can access services such as Outlook, Teams, and OneDrive without ever needing the user's password. A critical implication of this method is that simply changing the account password may not revoke the attacker's access if the stolen tokens remain valid.
Implications for Organizations
Compromised Microsoft 365 accounts provide attackers with extensive access to sensitive organizational data, including emails, files, internal chats, and shared documents. This access can be exploited for various malicious activities, such as business email compromise (BEC), data theft, lateral movement within the network, or launching further phishing attacks against employees, clients, and vendors. The FBI emphasizes that Kali365 enables attackers to maintain long-term access to compromised accounts, underscoring the importance of early detection and robust preventive measures.
FBI Recommendations for Protection
To mitigate the threat posed by Kali365, the FBI urges organizations to review and strengthen their Microsoft 365 authentication configurations, particularly concerning device code flow authentication. Security teams are advised to:
- Restrict or disable device code flow where it is not essential for business operations.
- Enforce stricter conditional access policies based on user, device, location, and application.
- Regularly audit whether device code-based logins are genuinely required for specific business uses.
- Block authentication transfers between devices to prevent token relay attacks.
- Implement robust monitoring for unusual login activity or unauthorized session creation.
- Ensure that emergency access accounts are not inadvertently locked out while applying these security restrictions.