May 23
/
Latest News
FBI Flags New “Kali365” Phishing Service Targeting Microsoft 365 Users
A new FBI alert warns that a phishing‑as‑a‑service platform called Kali365 is helping low‑level cybercriminals hijack Microsoft 365 accounts using device‑code phishing and stolen OAuth tokens, enabling long‑term access and corporate data theft.
The FBI is sounding the alarm over a newly discovered phishing‑as‑a‑service operation known as Kali365, a subscription‑based platform sold on Telegram that gives inexperienced cybercriminals turnkey tools to break into Microsoft 365 accounts. First spotted in April 2026, the service mirrors a growing trend of low‑skill attackers buying ready‑made kits instead of building their own infrastructure.
The warning follows recent reporting on another Telegram‑based kit, EvilTokens, which used fake Microsoft login pages and spoofed Outlook calendar invites to steal session data. Kali365’s arrival suggests that these services are rapidly multiplying and becoming more accessible to newcomers in the cybercrime ecosystem.
What makes Kali365 particularly dangerous is that attackers don’t need a victim’s password. Instead, they rely on device‑code phishing, a technique that tricks users into entering a code on a legitimate Microsoft verification page. The email lure appears to come from a trusted cloud or document‑sharing service, but the moment the user types in the provided code, the attacker’s device is granted access to the account.
Once inside, Kali365 harvests OAuth access and refresh tokens—digital keys that keep users logged into apps like Outlook, Teams, and OneDrive. With these tokens, attackers can bypass multi‑factor authentication and maintain long‑term access, paving the way for data theft and business email compromise schemes.
Although the FBI issued its alert this week, Arctic Wolf researchers documented the threat earlier in the year. Their analysis showed that the phishing emails used convincing subject lines such as “SharePoint – Document Shared,” “OneDrive – File Shared,” “Microsoft 365 – Voicemail,” “DocuSign – Signature Required,” and “Adobe Acrobat Sign – Agreement,” all designed to blend seamlessly into a corporate inbox.
To counter the threat, the FBI and CISA are urging organizations to restrict or disable device‑code authentication flows, closely monitor their use, and enforce strict conditional access rules. They also recommend keeping emergency access accounts available to avoid accidental lockouts and blocking authentication transfer policies that allow login rights to move between devices.
Kali365’s emergence underscores how quickly phishing‑as‑a‑service platforms are evolving—and how easily they can put corporate data at risk.
The FBI is sounding the alarm over a newly discovered phishing‑as‑a‑service operation known as Kali365, a subscription‑based platform sold on Telegram that gives inexperienced cybercriminals turnkey tools to break into Microsoft 365 accounts. First spotted in April 2026, the service mirrors a growing trend of low‑skill attackers buying ready‑made kits instead of building their own infrastructure.
The warning follows recent reporting on another Telegram‑based kit, EvilTokens, which used fake Microsoft login pages and spoofed Outlook calendar invites to steal session data. Kali365’s arrival suggests that these services are rapidly multiplying and becoming more accessible to newcomers in the cybercrime ecosystem.
What makes Kali365 particularly dangerous is that attackers don’t need a victim’s password. Instead, they rely on device‑code phishing, a technique that tricks users into entering a code on a legitimate Microsoft verification page. The email lure appears to come from a trusted cloud or document‑sharing service, but the moment the user types in the provided code, the attacker’s device is granted access to the account.
Once inside, Kali365 harvests OAuth access and refresh tokens—digital keys that keep users logged into apps like Outlook, Teams, and OneDrive. With these tokens, attackers can bypass multi‑factor authentication and maintain long‑term access, paving the way for data theft and business email compromise schemes.
Although the FBI issued its alert this week, Arctic Wolf researchers documented the threat earlier in the year. Their analysis showed that the phishing emails used convincing subject lines such as “SharePoint – Document Shared,” “OneDrive – File Shared,” “Microsoft 365 – Voicemail,” “DocuSign – Signature Required,” and “Adobe Acrobat Sign – Agreement,” all designed to blend seamlessly into a corporate inbox.
To counter the threat, the FBI and CISA are urging organizations to restrict or disable device‑code authentication flows, closely monitor their use, and enforce strict conditional access rules. They also recommend keeping emergency access accounts available to avoid accidental lockouts and blocking authentication transfer policies that allow login rights to move between devices.
Kali365’s emergence underscores how quickly phishing‑as‑a‑service platforms are evolving—and how easily they can put corporate data at risk.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.