FBI Warns 'Kali365' Phishing Kit Hijacks Microsoft 365 OAuth Tokens

A new phishing-as-a-service (PhaaS) platform called Kali365 is being distributed in the wild, primarily via Telegram, the FBI has warned. First detected in April 2026, Kali365 provides cyber threat actors access to AI-generated phishing lures, automated campaign templates real-time targeted individual and entity tracking dashboards. It also enables technically low-level individuals to capture OAuth tokens – Microsoft 365 access tokens – and bypass multifactor authentication (MFA) protocols without intercepting the user's credentials. Through the Kali365 platform subscription, cyber threat actors can gain persistent access to targeted individuals/entities' Microsoft 365 environments. Kali365 Attack Chain In a typical attack chain, detailed by the FBI in an advisory published on May 21, an attacker initiates the scam by sending a phishing email that impersonates trusted cloud productivity and document-sharing services. This email contains a device code along with instructions to visit a legitimate Microsoft verification page and enter the code. Victims navigate to the real Microsoft page and paste in the device code, thereby unknowingly authorizing the attacker's device to access their account. The attacker then captures OAuth access and refresh tokens, which grants them access to the targeted individuals' or entities' Microsoft 365 account. With these tokens in hand, the attacker can now access Microsoft 365 services such as Outlook, Teams and OneDrive without needing a password or completing any additional MFA challenges, thus establishing persistence in the compromised account. Mitigating Kali365-Like Threats To mitigate the threat of being targeted by Kali365-enabled cybercriminals, the FBI recommended the following measures: Restrict device code flow to limit or block device authentication codes Create a conditional access policy to block device code flow for all users, with limited exceptions for required business processes Block authentication transfer policies to prevent users from transferring authentication from computers to mobile devices Exclude emergency access accounts to prevent lockouts Image credits: Ed Hardie / Unsplash