Technologyphishing
Summary (tl;dr)
The FBI has issued an urgent warning about Kali365, a new "Phishing-as-a-Service" platform that allows cybercriminals to bypass multi-factor authentication (MFA) and gain persistent, unauthorized access to Microsoft 365 accounts without needing to steal passwords.
Essential Background
Phishing is a deceptive cyberattack where malicious actors attempt to trick individuals into revealing sensitive information, such as login credentials, often by impersonating legitimate entities through emails or messages. To combat these threats, multi-factor authentication (MFA) was widely adopted, adding a crucial layer of security that requires users to provide two or more verification factors to access an account, even if their password is compromised.
The Full Story
On May 21, 2026, the Federal Bureau of Investigation (FBI) released a Public Service Announcement warning about Kali365, an advanced Phishing-as-a-Service (PhaaS) platform that is being actively distributed via Telegram. This platform enables cybercriminals to launch sophisticated phishing campaigns that target Microsoft 365 users, a significant concern given its ability to bypass multi-factor authentication (MFA). Instead of stealing passwords, Kali365 exploits a legitimate Microsoft feature called "device code flow" to acquire OAuth access tokens, granting attackers persistent access to services like Outlook, Teams, and OneDrive without requiring the victim's password or triggering additional MFA prompts. The Kali365 toolkit is readily available for subscription and includes features such as AI-generated phishing lures and automated campaign templates, significantly lowering the technical expertise required for attackers. Hundreds of Kali365 attacks were documented in April alone, impacting a wide range of organizations across various sectors, including manufacturing, education, insurance, financial services, healthcare, and government, spanning North America, Europe, and other global regions.
Why It Matters
The emergence of Kali365 is a critical development because it circumvents established cybersecurity defenses, particularly multi-factor authentication, which many organizations and individuals rely on for robust account protection. This accessible and potent platform broadens the pool of potential cybercriminals, increasing the risk of widespread compromise of Microsoft 365 accounts, leading to data theft, financial fraud, and business email compromise (BEC). The persistence offered by stolen OAuth tokens means attackers can maintain covert access to compromised accounts for extended periods, making detection and remediation challenging. To mitigate this threat, organizations are advised to implement conditional access policies to restrict device code flow and regularly audit existing device authentication usage.
Geographic Location
- Washington, D.C., District of Columbia, United States (FBI issued a Public Service Announcement regarding Kali365)
- North America (Kali365 attacks documented against organizations)
- Europe (Kali365 attacks documented against organizations)
- Middle East (Kali365 attacks documented against organizations)
- Africa (Kali365 attacks documented against organizations)
- Australia (Kali365 attacks documented against organizations)
- India (Kali365 attacks documented against organizations)
- Canada (Kali365 attacks documented against organizations)
- APAC (Kali365 attacks documented against organizations)