The FBI has issued a warning about a rapidly growing phishing-as-a-service platform called Kali365 that is being used to compromise Microsoft 365 accounts while bypassing multi-factor authentication protections.
According to a new FBI Public Service Announcement published through the Internet Crime Complaint Center (IC3), Kali365 first appeared in April 2026 and is primarily distributed through Telegram channels used by cybercriminals. The platform enables attackers to steal Microsoft 365 OAuth access tokens without directly capturing passwords or MFA codes.
The FBI said Kali365 lowers the barrier for less-skilled cybercriminals by providing ready-made phishing infrastructure, AI-generated phishing lures, automated campaign templates, victim tracking dashboards, and token capture tools.
Unlike traditional phishing attacks that rely on fake login pages, Kali365 abuses Microsoft’s legitimate device authentication process. In a typical attack, victims receive emails impersonating trusted cloud or document-sharing services. The messages contain instructions directing users to Microsoft’s real verification page and prompting them to enter a supplied device code.
Once the code is entered, victims unknowingly authorize the attacker’s device to access their Microsoft 365 environment. Attackers then capture OAuth access and refresh tokens, allowing persistent access to services including Outlook, Teams, and OneDrive without triggering additional MFA prompts.
Security researchers describe the technique as “device code phishing,” a growing attack method targeting cloud authentication systems. Because the login occurs through legitimate Microsoft infrastructure, traditional phishing detection tools often struggle to identify the activity as malicious.
Researchers at Arctic Wolf previously linked Kali365 to large-scale campaigns impacting organizations across manufacturing, healthcare, finance, government, and education sectors in North America and Europe. The company said attackers used realistic phishing lures combined with Microsoft’s legitimate device login flow to obtain persistent access tokens.
Cybersecurity experts warn that the stolen tokens can provide long-term access to corporate environments and may be used for business email compromise, internal reconnaissance, data theft, financial fraud, and ransomware deployment.
The FBI recommended that organizations restrict or disable device code authentication flows where possible and implement conditional access policies that block risky login attempts. The agency also advised companies to monitor OAuth application permissions, review suspicious authentication events, and revoke unauthorized tokens immediately after detecting compromise activity.
The agency additionally warned users to remain cautious of unsolicited emails requesting authentication actions, even when links point to legitimate Microsoft domains.
Kali365 joins a growing ecosystem of phishing-as-a-service operations that package advanced attack techniques into subscription-based platforms sold through Telegram and underground cybercrime communities. Researchers say these services are making sophisticated account takeover attacks increasingly accessible to inexperienced threat actors.