CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 22, 2026

FBI Warns of Kali365 Attacking Microsoft 365 Users to Steal Logins and Bypass MFA

Cybersecurity News Archived May 22, 2026 ✓ Full text saved

The FBI has issued a new cybersecurity warning about a rapidly emerging phishing-as-a-service (PhaaS) platform named Kali365, which is actively targeting Microsoft 365 users to steal access tokens and bypass multi-factor authentication (MFA). Kali365 is being distributed primarily through Telegram channels, where threat actors can subscribe to the service and launch phishing campaigns with minimal […] The post FBI Warns of Kali365 Attacking Microsoft 365 Users to Steal Logins and Bypass MFA appe

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News FBI Warns of Kali365 Attacking Microsoft 365 Users to Steal Logins and Bypass MFA By Abinaya May 22, 2026 The FBI has issued a new cybersecurity warning about a rapidly emerging phishing-as-a-service (PhaaS) platform named Kali365, which is actively targeting Microsoft 365 users to steal access tokens and bypass multi-factor authentication (MFA). Kali365 is being distributed primarily through Telegram channels, where threat actors can subscribe to the service and launch phishing campaigns with minimal technical knowledge. Unlike traditional credential-harvesting attacks, Kali365 focuses on capturing OAuth tokens, enabling attackers to gain persistent access to Microsoft 365 accounts without requiring usernames, passwords, or MFA codes. The platform includes several built-in features that lower the barrier to entry for attackers: AI-generated phishing email templates impersonating trusted services. Automated campaign deployment tools. Real-time dashboards to track victims. OAuth token capture mechanisms. This combination enables even low-skilled attackers to execute sophisticated phishing campaigns at scale. Kali365 PhaaS Targets Microsoft 365 The Kali365 attack leverages Microsoft’s legitimate device code authentication flow to trick users into authorizing malicious access. Lure: Victims receive phishing emails that appear to be from Microsoft or document-sharing platforms. These emails include a device code and instructions. Authorization: The victim is directed to a legitimate Microsoft verification page and asked to enter the provided code. Token Theft: By entering the code, the user unknowingly authorizes the attacker’s session, allowing them to capture OAuth access and refresh tokens. Persistence: Attackers can then access services like Outlook, Teams, and OneDrive without triggering MFA again. This technique is particularly dangerous because it exploits legitimate authentication workflows, making detection more difficult. TODAY THE FBI RELEASED A #PSA WARNING THE PUBLIC ABOUT KALI365—AN EMERGING PHISHING-AS-A-SERVICE (PHAAS) PLATFORM. KALI365, FIRST SEEN IN APRIL 2026, ENABLES CYBER THREAT ACTORS TO OBTAIN MICROSOFT 365 ACCESS TOKENS AND BYPASS MULTI-FACTOR AUTHENTICATION (MFA) PROTOCOLS WITHOUT… PIC.TWITTER.COM/AALCKPLVHG — FBI Cyber Division (@FBICyberDiv) May 21, 2026 Tracked under Alert Number I-052126-PSA and first observed in April 2026, the platform is gaining traction among cybercriminals due to its ease of use and advanced capabilities. Once access is gained, attackers can: Read and exfiltrate emails. Access sensitive files stored in OneDrive. Monitor communications via Teams. Maintain long-term persistence using refresh tokens. Because credentials are not directly stolen, traditional security alerts may not be triggered, thereby increasing dwell time. Mitigation Recommendations The FBI and CISA recommend several defensive measures to reduce exposure: Restrict or turn off device code flow authentication where possible. Implement conditional access policies to block unauthorized device code usage. Audit existing device code flow dependencies before applying restrictions. Block authentication transfer between devices. Maintain emergency access accounts to prevent lockouts. Organizations should also monitor for unusual sign-ins and token usage patterns. Victims of Kali365-related attacks are encouraged to report incidents to the FBI’s Internet Crime Complaint Center (IC3) at www.ic3.gov. Key information to include: Phishing email samples (headers and content). Suspicious login details (IP, time, location). Unauthorized devices or active sessions. As phishing techniques continue to evolve, the Kali365 platform highlights a growing shift toward token-based attacks that bypass traditional defenses, reinforcing the need for stronger identity and access controls. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Critical Chrome Vulnerabilities Enable Remote Code Execution Attacks – Patch Now! 1 Million WordPress Sites Affected by Avada Builder File Read and SQL Injection Flaws PraisonAI Vulnerability Exploited Within Hours of Public Disclosure Hackers Actively Exploiting Critical NGINX RCE Vulnerability in the Wild OpenClaw Chain Vulnerabilities Expose 245,000 Public AI Agent Servers to Attack Latest News Cyber Security News Google Publishes Exploit Code for Unfixed Chromium Bug Exposing Millions of Users Cyber Security News Hackers Can Weaponize Lenovo Driver to Terminate EDR Processes Cyber Security News Mini Shai-Hulud Attack Forces npm to Reset Bypass-2FA Publishing Tokens Cyber Security News Discord Announces End-to-End Encryption by Default for Video and Voice Messages Cyber Attack News Megalodon Malware Compromised 5,500+ GitHub Repos Within 6 Hours
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 22, 2026
    Archived
    May 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗