FBI Issues Warning on Kali365 Phishing Kit Targeting Microsoft 365 Users
Severity: High (Score: 71.0)
Sources: Cybersecuritynews, Theregister, www.ic3.gov, www.itsecuritynews.info, Feeds2.Feedburner
Published: · Updated:
Keywords: kali365, microsoft, phaas, platform, users, steal, targeted
Severity indicators: pla
Summary
The FBI has issued a public service announcement regarding Kali365, a new phishing-as-a-service (PhaaS) platform that is actively stealing Microsoft OAuth tokens. First identified in April 2026, Kali365 allows attackers to bypass multi-factor authentication (MFA) without needing user credentials. The platform is primarily distributed via Telegram and offers features like AI-generated phishing lures and automated campaign templates. Attackers can trick users into entering device codes on a legitimate Microsoft page, granting them access to Microsoft 365 accounts. The FBI emphasizes the potential for significant impacts, including corporate espionage and data theft. Organizations are advised to restrict device code flows to mitigate these attacks. The FBI's warning highlights the growing sophistication of phishing techniques that leverage OAuth token theft. Key Points: • Kali365 is a new PhaaS platform enabling OAuth token theft from Microsoft 365 accounts. • The platform bypasses MFA by tricking users into entering device codes on a legitimate Microsoft page. • Organizations are urged to implement restrictions on device code flows to prevent such attacks.
Detailed Analysis
**Impact** Microsoft 365 users across multiple sectors are targeted by Kali365, a phishing-as-a-service platform active since April 2026. The platform enables attackers to steal OAuth tokens, bypassing multi-factor authentication (MFA) and granting persistent access to emails, Teams, and other corporate resources. Hundreds of organizations are compromised daily, with attacks distributed at scale and affecting global users due to multi-language support. Data at risk includes sensitive corporate communications, intellectual property, and potentially ransomware deployment vectors. **Technical Details** Kali365 uses device code phishing and adversary-in-the-middle (AitM) techniques to capture Microsoft OAuth tokens without intercepting user credentials. Attackers send phishing emails impersonating trusted services like Adobe Acrobat Sign and SharePoint, containing device codes or cookie-based lures that proxy victims’ browsers through attacker infrastructure. Session cookies and tokens are harvested and replayed to gain unauthorized access, bypassing MFA. The platform operates on a tiered subscription model, distributed primarily via Telegram, and supports multiple languages. No CVEs or specific malware are mentioned. **Recommended Response** Organizations should immediately implement conditional access policies to restrict or block Microsoft device code flow where unnecessary. Monitoring for suspicious OAuth token activity and phishing emails impersonating trusted cloud services is critical. Defenders should consult CISA phishing guidance and report incidents to IC3 with relevant details. No patches are specified; focus should be on access control hardening, user awareness, and blocking Kali365-related infrastructure where possible.
Source articles (7)
- FBI Warns of Kali365 PhaaS Platform Attacking Microsoft 365 Users to Steal Logins and Bypass MFA — Cybersecuritynews · 2026-05-22
The FBI has issued a new cybersecurity warning a rapidly emerging phishing-as-a-service (PhaaS) platform named Kali365, which is actively targeting Microsoft 365 users to steal access tokens and bypas… - Microsoft 365 Users Targeted by New Phishing Threat that Bypasses MFA — Ground.News · 2026-05-22
The FBI has issued a public service announcement warning a new phishing kit that's stealing Microsoft OAuth tokens at an alarming rate. OAuth token theft is a serious headache for organizations becaus… - FBI Warns Kali365 PhaaS Platform Targets Microsoft 365 Users to Steal Logins — www.itsecuritynews.info · 2026-05-22
- Microsoft 365 users targeted by new phishing threat that bypasses MFA — www.helpnetsecurity.com · 2026-05-22
- Microsoft 365 users targeted by new phishing threat that bypasses MFA — Feeds2.Feedburner · 2026-05-22
Microsoft 365 access tokens are being targeted by an emerging Phishing-as-a-Service (PhaaS) platform called Kali365, the FBI is warning. First observed in April 2026, Kali365 has been distributed thro… - PSA260521 — www.ic3.gov · 2026-05-22
The Federal Bureau of Investigation ( FBI ) is issuing this Public Service Announcement ( PSA ) to warn the public an emerging Phishing 1 -as-a-Service 2 ( PhaaS ) platform called Kali365, first seen… - FBI warns Kali365 phishing kit is stealing Microsoft OAuth tokens at scale — Theregister · 2026-05-22
MFA? No problem, says crimeware that tricks users into handing attackers the keys to M365 The FBI has issued a public service announcement warning a new phishing kit that's stealing Microsoft OAuth to…
Timeline
- 2026-04-01 — Kali365 first identified: Cybersecurity experts first observed the Kali365 phishing kit being distributed via Telegram.
- 2026-05-22 — FBI issues public service announcement: The FBI warns the public about the risks associated with the Kali365 phishing kit targeting Microsoft 365 users.
- 2026-05-22 — Kali365 phishing kit features detailed: The FBI describes Kali365's capabilities, including AI-generated phishing lures and OAuth token capture.
- 2026-05-22 — Mitigation recommendations provided: The FBI advises organizations to restrict device code flows to limit the effectiveness of Kali365 attacks.
Related entities
- Phishing (Attack Type)
- CWE-287 - Improper Authentication (Cwe)
- at.be (Domain)
- Kali365 (Tool)
- Docusign (Tool)
- EvilTokens (Tool)
- T1566.002 - Spearphishing Link (Mitre Attack)
- T1566 - Phishing (Mitre Attack)
- Adobe Acrobat Sign (Platform)
- Microsoft 365 (Platform)
- Microsoft Login Page (Platform)
- SharePoint (Platform)
- Telegram (Platform)