FBI warns of 'Kali365' phishing attack on Microsoft users
What's the story
The Federal Bureau of Investigation (FBI) has issued a warning about a new cybercrime platform called Kali365. The "Phishing-as-a-Service" (PhaaS) toolkit targets Microsoft 365 users by circumventing multi-factor authentication (MFA) protections. First detected in April 2026, the platform is being actively distributed through Telegram channels and allows even low-skilled attackers to conduct sophisticated phishing campaigns.
Platform details
What is Kali365?
Kali365 is a subscription-based cybercrime platform that lets attackers launch automated phishing campaigns against cloud services, especially Microsoft 365 accounts. The FBI has described it as an emerging PhaaS platform that allows "cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting the user's credentials."
Attack strategy
How Kali365 works
The FBI has detailed a multi-stage attack process using Kali365. It starts with phishing lures, where victims get emails impersonating trusted cloud services or document-sharing platforms. These emails contain a device code and instructions to visit a legitimate Microsoft login page. When the victim enters the code on this page, they unknowingly authorize the attacker's device, leading to token theft and persistent access for attackers.
Attack impact
Bypassing MFA protections
Kali365's approach is different from traditional phishing as it exploits OAuth token-based authentication. This means passwords aren't directly stolen, MFA protections can be bypassed, and access can persist even after password changes. These factors make detection and recovery much more difficult for victims and IT teams. The FBI has recommended organizations tighten security controls around Microsoft 365 authentication systems to mitigate this threat.
Reporting incidents
Rise of PhaaS platforms
The FBI has urged victims and organizations affected by Kali365-related attacks to report incidents to the Internet Crime Complaint Center (IC3). Reports should include full phishing email details, suspicious login data, and unauthorized device or session activity. The emergence of Kali365 highlights a wider trend in cybercrime: the rise of Phishing-as-a-Service platforms that bundle sophisticated hacking tools into easy-to-use subscription models.