FBI Warns of Kali365 Phishing-as-a-Service Targeting Microsoft 365

Overview

The FBI has published a formal advisory warning organizations about Kali365, a sophisticated phishing-as-a-service (PaaS) platform operating through Telegram that enables cybercriminals to steal legitimate OAuth tokens and gain persistent, unauthorized access to Microsoft 365 environments.

Unlike traditional credential-phishing kits that steal usernames and passwords, Kali365 targets the OAuth authorization flow itself — capturing tokens that grant access regardless of whether the victim has multi-factor authentication enabled. The FBI advisory follows a wave of Kali365-enabled compromises observed in April 2026.

What Is Kali365?

Kali365 is a Telegram-based phishing-as-a-service offering that lowers the technical bar for launching Microsoft 365 account takeover attacks. Cybercriminals subscribe to the service via Telegram and receive ready-made attack infrastructure, including phishing pages and token-capture backends.

Attribute	Detail
Platform	Telegram-based subscription service
Target	Microsoft 365 accounts
Attack method	OAuth token capture (not password theft)
MFA bypass	Yes — OAuth tokens bypass MFA entirely
Operation noticed	April 2026 attacks
FBI advisory	May 2026

How the Attack Works

Kali365 exploits the OAuth device authorization flow (also called "device code phishing") and related OAuth redirect techniques to capture tokens that Microsoft 365 grants to trusted applications. Once captured, these tokens allow the attacker to operate as the victim user without needing their password or MFA code.

Attack Chain

1. Attacker (via Kali365) sends victim a phishing lure (email, Teams message, SMS)
2. Victim is directed to a convincing Microsoft login page controlled by Kali365
3. Victim authenticates normally — including completing MFA
4. Kali365 infrastructure intercepts and captures the resulting OAuth access token
5. Attacker receives the OAuth token through the Telegram bot interface
6. Attacker uses the token to access victim's M365 — email, Teams, OneDrive, SharePoint
7. Token can persist for days or weeks without re-authentication

Why OAuth Tokens Are Dangerous

OAuth tokens:

Bypass MFA — they represent a completed authentication, so MFA is never re-prompted
Persist for extended periods — M365 tokens can remain valid for hours to days; refresh tokens can last weeks
Grant broad access — a single token may cover email, calendar, files, Teams, and connected applications
Are difficult to detect — token-based access looks identical to legitimate user activity in most audit logs

Kali365 as a Service

The Telegram-based delivery model reflects the broader democratization of cybercrime tooling. Kali365 operators maintain the phishing infrastructure — hosting, SSL certificates, token capture backends, and evasion techniques — while subscriber-criminals focus on targeting and social engineering.

This model means that even technically unsophisticated threat actors can run effective Microsoft 365 account takeover campaigns with minimal setup. The FBI advisory notes that this type of service significantly expands the pool of actors capable of targeting enterprise Microsoft 365 environments.

Affected Organizations

Any organization using Microsoft 365 is a potential target. Higher-risk environments include:

Financial services firms — high-value email access for business email compromise (BEC)
Legal and accounting firms — sensitive client data and wire transfer authority
Healthcare organizations — PHI accessible via M365 integrations
Government agencies — sensitive communications and SharePoint data
Technology companies — source code repositories and credential stores accessible via M365

Indicators and Detection

Organizations should monitor Microsoft 365 audit logs for:

Sign-ins from unexpected geographic locations immediately after a user completes MFA
Token issuance to unfamiliar application IDs — Kali365 may register malicious OAuth apps
Bulk email access or forwarding rule creation shortly after a successful authentication event
Impossible travel — authentication events from two geographically distant locations within a short timeframe
Device code authentication requests that users did not initiate

Microsoft Sentinel, Defender for Cloud Apps, and similar SIEM platforms can alert on these patterns.

Remediation and Defense

Immediate Steps

Enable Conditional Access policies requiring compliant or managed devices for M365 access — this blocks many token-replay scenarios
Restrict OAuth application consent — use admin consent workflows to prevent users from granting OAuth access to unvetted applications
Enable Continuous Access Evaluation (CAE) — Microsoft's CAE feature revokes tokens in near-real-time when risk is detected
Review existing OAuth applications — audit all applications with delegated or application permissions in your tenant

Phishing Resistance

Deploy phishing-resistant MFA such as FIDO2 hardware keys or Windows Hello for Business — these are immune to token-interception phishing
Enable Microsoft Authenticator number matching — reduces susceptibility to MFA fatigue attacks used alongside Kali365 lures
Train users to recognize unexpected authentication prompts and report them to IT

For Incident Response

If a Kali365 compromise is suspected:

Revoke all active refresh tokens for the affected user via Microsoft Entra ID (formerly Azure AD)
Review audit logs for the past 30 days for suspicious access patterns
Check for inbox rules, forwarding rules, and delegated access grants created by the attacker
Scan for registered OAuth applications the attacker may have added to persist access

Context: OAuth Phishing Trend

Kali365 is part of a broader trend of OAuth-focused phishing attacks that have grown significantly in 2025–2026. Similar services include Tycoon2FA (which targets Microsoft and Google accounts), EvilProxy, and various device code phishing kits. The FBI's advisory signals that law enforcement has elevated concerns about this attack category given its effectiveness against MFA-protected environments.

Sources

The Record — FBI warns of Kali365 phishing-as-a-service after April Microsoft 365 attacks

Overview

What Is Kali365?

Attribute	Detail
Platform	Telegram-based subscription service
Target	Microsoft 365 accounts
Attack method	OAuth token capture (not password theft)
MFA bypass	Yes — OAuth tokens bypass MFA entirely
Operation noticed	April 2026 attacks
FBI advisory	May 2026

How the Attack Works

Attack Chain

1. Attacker (via Kali365) sends victim a phishing lure (email, Teams message, SMS)
2. Victim is directed to a convincing Microsoft login page controlled by Kali365
3. Victim authenticates normally — including completing MFA
4. Kali365 infrastructure intercepts and captures the resulting OAuth access token
5. Attacker receives the OAuth token through the Telegram bot interface
6. Attacker uses the token to access victim's M365 — email, Teams, OneDrive, SharePoint
7. Token can persist for days or weeks without re-authentication

Why OAuth Tokens Are Dangerous

OAuth tokens:

Bypass MFA — they represent a completed authentication, so MFA is never re-prompted
Persist for extended periods — M365 tokens can remain valid for hours to days; refresh tokens can last weeks
Grant broad access — a single token may cover email, calendar, files, Teams, and connected applications
Are difficult to detect — token-based access looks identical to legitimate user activity in most audit logs

Kali365 as a Service

Affected Organizations

Any organization using Microsoft 365 is a potential target. Higher-risk environments include:

Financial services firms — high-value email access for business email compromise (BEC)
Legal and accounting firms — sensitive client data and wire transfer authority
Healthcare organizations — PHI accessible via M365 integrations
Government agencies — sensitive communications and SharePoint data
Technology companies — source code repositories and credential stores accessible via M365

Indicators and Detection

Organizations should monitor Microsoft 365 audit logs for:

Sign-ins from unexpected geographic locations immediately after a user completes MFA
Token issuance to unfamiliar application IDs — Kali365 may register malicious OAuth apps
Bulk email access or forwarding rule creation shortly after a successful authentication event
Impossible travel — authentication events from two geographically distant locations within a short timeframe
Device code authentication requests that users did not initiate

Microsoft Sentinel, Defender for Cloud Apps, and similar SIEM platforms can alert on these patterns.

Remediation and Defense

Immediate Steps

Enable Conditional Access policies requiring compliant or managed devices for M365 access — this blocks many token-replay scenarios
Restrict OAuth application consent — use admin consent workflows to prevent users from granting OAuth access to unvetted applications
Enable Continuous Access Evaluation (CAE) — Microsoft's CAE feature revokes tokens in near-real-time when risk is detected
Review existing OAuth applications — audit all applications with delegated or application permissions in your tenant

Phishing Resistance

Deploy phishing-resistant MFA such as FIDO2 hardware keys or Windows Hello for Business — these are immune to token-interception phishing
Enable Microsoft Authenticator number matching — reduces susceptibility to MFA fatigue attacks used alongside Kali365 lures
Train users to recognize unexpected authentication prompts and report them to IT

For Incident Response

If a Kali365 compromise is suspected:

Revoke all active refresh tokens for the affected user via Microsoft Entra ID (formerly Azure AD)
Review audit logs for the past 30 days for suspicious access patterns
Check for inbox rules, forwarding rules, and delegated access grants created by the attacker
Scan for registered OAuth applications the attacker may have added to persist access

Context: OAuth Phishing Trend

Sources

The Record — FBI warns of Kali365 phishing-as-a-service after April Microsoft 365 attacks

FBI Warns of Kali365 Phishing-as-a-Service Targeting Microsoft 365

Overview

What Is Kali365?

How the Attack Works

Attack Chain

Why OAuth Tokens Are Dangerous

Kali365 as a Service

Affected Organizations

Indicators and Detection

Remediation and Defense

Immediate Steps

Phishing Resistance

For Incident Response

Context: OAuth Phishing Trend

Sources

Tycoon2FA Hijacks Microsoft 365 Accounts via Device-Code Phishing

'FrostyNeighbor' APT Carefully Targets Govt Orgs in Poland, Ukraine

ConsentFix v3 Automates Azure OAuth Abuse With Mass Compromise Potential

FBI Warns of Kali365 Phishing-as-a-Service Targeting Microsoft 365

Overview

What Is Kali365?

How the Attack Works

Attack Chain

Why OAuth Tokens Are Dangerous

Kali365 as a Service

Affected Organizations

Indicators and Detection

Remediation and Defense

Immediate Steps

Phishing Resistance

For Incident Response

Context: OAuth Phishing Trend

Sources

Tycoon2FA Hijacks Microsoft 365 Accounts via Device-Code Phishing

'FrostyNeighbor' APT Carefully Targets Govt Orgs in Poland, Ukraine

ConsentFix v3 Automates Azure OAuth Abuse With Mass Compromise Potential

Overview

What Is Kali365?

How the Attack Works

Attack Chain

Why OAuth Tokens Are Dangerous

Kali365 as a Service

Affected Organizations

Indicators and Detection

Remediation and Defense

Immediate Steps

Phishing Resistance

For Incident Response

Context: OAuth Phishing Trend

Sources

Related Reading

Overview

What Is Kali365?

How the Attack Works

Attack Chain

Why OAuth Tokens Are Dangerous

Kali365 as a Service

Affected Organizations

Indicators and Detection

Remediation and Defense

Immediate Steps

Phishing Resistance

For Incident Response

Context: OAuth Phishing Trend

Sources

Related Reading