What is Kali365? FBI warns Telegram-based phishing service targeting Microsoft 365 users

The Federal Bureau of Investigation (FBI) has issued a public warning about a newly identified cybercrime platform called Kali365, a “Phishing-as-a-Service” (PhaaS) toolkit that is being used to target Microsoft 365 users by bypassing multi-factor authentication (MFA) protections.

The platform, first detected in April 2026, is being actively distributed through Telegram channels and is designed to help even low-skilled attackers conduct sophisticated phishing campaigns.

What is Kali365?

Kali365 is a cybercrime subscription service that allows threat actors to carry out automated phishing attacks against cloud-based accounts, particularly Microsoft 365 environments.

According to the FBI, the platform provides attackers with ready-made tools including:

-AI-generated phishing emails and templates

-Automated campaign management systems

-Real-time victim tracking dashboards

-OAuth token capture capabilities

This effectively lowers the technical barrier for cybercriminals, enabling more widespread and scalable attacks.

How the attack works

The FBI outlined a multi-stage process used by attackers leveraging Kali365:

Victims receive emails impersonating trusted cloud services or document-sharing platforms. These emails contain a device code and instructions to visit a legitimate Microsoft login page.

2. User authentication trick

The victim enters the device code on the official Microsoft page, unknowingly authorizing the attacker’s device.

The system captures OAuth access and refresh tokens, giving attackers authenticated access to the victim’s account.

Attackers can then access services such as Outlook, Teams, and OneDrive without needing passwords or triggering MFA again.

The FBI warned that this allows attackers to maintain long-term access to compromised accounts.

Why this attack is dangerous

Unlike traditional phishing, Kali365 exploits OAuth token-based authentication, which means:

-Passwords are not directly stolen

-MFA protections can be bypassed

-Access can persist even after password changes

This makes detection and recovery significantly more difficult for victims and IT teams.

FBI recommendations

The FBI has urged organizations to tighten security controls around Microsoft 365 authentication systems, including:

-Restricting or disabling device code flow authentication

-Implementing strict conditional access policies

-Auditing device code usage for legitimate business needs

-Blocking authentication transfer between devices

-Excluding emergency access accounts from restrictions to prevent lockouts

The agency also advised organizations to proactively monitor login activity and unauthorized session creation.

Reporting cyber incidents

The FBI has asked victims and organizations impacted by Kali365-related attacks to report incidents to the Internet Crime Complaint Center (IC3) at www.ic3.gov.

-Full phishing email details (headers and content)

-Suspicious login data (IP addresses, timestamps, locations)

-Unauthorized device or session activity

Growing threat of Phishing-as-a-Service

The emergence of Kali365 highlights a broader trend in cybercrime: the rise of Phishing-as-a-Service platforms, which package advanced hacking tools into easy-to-use subscription models.

Security experts say this trend is accelerating cyberattacks globally, particularly against cloud-first workplaces that rely heavily on services like Microsoft 365.

The FBI’s warning underscores the need for stronger authentication safeguards and continuous monitoring as attackers increasingly exploit identity-based security weaknesses rather than traditional password theft.