FBI warns of Kali365 phishing service targeting Microsoft 365

SOPA Images / Getty Images

The FBI issued a warning about a phishing-as-a-service platform called Kali365 that allows cybercriminals to capture Microsoft $MSFT -0.12% 365 authentication tokens and bypass multi-factor authentication without stealing user passwords.

First seen in April 2026, Kali365 is sold and distributed through Telegram. According to the FBI, the platform is designed to lower barriers to entry, equipping even novice criminals with tools such as AI-generated phishing lures, automated campaign templates, dashboards for tracking targets in real time, and the ability to capture OAuth tokens.

The attack works by sending a phishing email that impersonates a trusted cloud productivity or document-sharing service. Embedded in the email is a device code, along with directions that steer the recipient toward an authentic Microsoft verification page where they are told to input it. When the user complies, they unknowingly authorize the attacker's device to access their Microsoft 365 account. Those tokens hand the attacker standing access to services including Outlook, Teams, and OneDrive — no password entry or MFA prompt required at any point, the FBI said.

Cybersecurity firm Arctic Wolf, which investigated a widespread Kali365 campaign in April, found that after gaining mailbox access, attackers created malicious inbox rules to conceal their activity. Attackers went further in certain incidents, enrolling additional devices inside the compromised Microsoft environments to deepen their foothold, according to BleepingComputer. Arctic Wolf also gained access to the Kali365 system itself, finding that the platform offers three subscription tiers ranging from $250 for 30 days to $2,000 for 365 days, according to The Record.