FBI Warns of Kali365 Phishing Service Targeting Microsoft 365

The FBI has issued a critical advisory regarding Kali365, a Telegram-based Phishing-as-a-Service (PhaaS) platform that enables cybercriminals to compromise Microsoft 365 accounts by bypassing multi-factor authentication (MFA) through OAuth token capture. First observed in April 2026, the service lowers the barrier for less-technical attackers by providing AI-generated phishing lures, automated campaign templates, real-time tracking dashboards, and OAuth token capture capabilities. The platform is distributed exclusively through Telegram and offers three subscription tiers ranging from $250 for 30 days to $2,000 for 365 days, according to the FBI advisory published Thursday.

Cybersecurity firms Proofpoint, IBM, Huntress, and Arctic Wolf all reported observing hundreds of attacks leveraging Kali365 throughout April. The attack methodology is sophisticated but simple in execution: hackers send phishing emails impersonating trusted cloud productivity services like Adobe, DocuSign, and SharePoint, containing verification codes that redirect victims to legitimate Microsoft login pages. When users enter the code, they unknowingly authorize the attacker's device to access their account, granting OAuth access and refresh tokens that provide persistent access to Outlook, Teams, and OneDrive without requiring passwords. Arctic Wolf's incident responders analyzed a large campaign where threat actors established malicious inbox rules to suppress security notifications, extending dwell time and reducing user awareness of the compromise.

Organizations using Microsoft 365 should immediately audit their OAuth application permissions and implement conditional access policies to restrict authorization requests. Users are encouraged to regularly check their account activity, use a email breach checker to determine if their credentials have been exposed, and employ strong, unique passwords combined with hardware security keys for critical accounts. For those concerned about exposure, conducting a privacy checkup and reviewing connected applications can help identify unauthorized access. The emergence of Kali365 and similar PhaaS platforms underscores the evolving threat landscape where commodity attack tools are becoming increasingly accessible to threat actors of all skill levels.