Breaking
JP速報:山本太郎代表がスピード違反で辞任表明、皇室典範改正案は10日採決へ、米軍はイランに追加攻撃CN台风“巴威”将至 浙江将迎强降雨和强风考验CN巴拿馬運河港口特許權爭議引發中美貿易緊張ARالأنظار تتجه نحو مواجهة المغرب وفرنسا في ربع نهائي كأس العالمJP小学校教諭、女児に卑わいな言動で逮捕INTLDRC Opposition Postpones Protests Amid AU MediationRUВСУ заявили о поражении более 25 российских судов в Азовском море. Что известноESGuardia Civil vincula al expresidente de Correos con la trama de Leire DíezRUПожар на промышленном предприятии под Ставрополем локализован после атаки БПЛАRUРоспотребнадзор: ареалы обитания клещей могут расширяться из-за изменения климатаJP速報:山本太郎代表がスピード違反で辞任表明、皇室典範改正案は10日採決へ、米軍はイランに追加攻撃CN台风“巴威”将至 浙江将迎强降雨和强风考验CN巴拿馬運河港口特許權爭議引發中美貿易緊張ARالأنظار تتجه نحو مواجهة المغرب وفرنسا في ربع نهائي كأس العالمJP小学校教諭、女児に卑わいな言動で逮捕INTLDRC Opposition Postpones Protests Amid AU MediationRUВСУ заявили о поражении более 25 российских судов в Азовском море. Что известноESGuardia Civil vincula al expresidente de Correos con la trama de Leire DíezRUПожар на промышленном предприятии под Ставрополем локализован после атаки БПЛАRUРоспотребнадзор: ареалы обитания клещей могут расширяться из-за изменения климата
Newsgather
BackFBI Warns of Kali365 Phishing-as-a-Service Targeting Microsoft 365
FBI Warns of Kali365 Phishing-as-a-Service Targeting Microsoft 365
Urgent
Times of India6/16/2026Tech3 min readIndia

FBI Warns of Kali365 Phishing-as-a-Service Targeting Microsoft 365

Quick Look

  • The FBI has issued a warning about Kali365, a Phishing-as-a-Service platform distributed via Telegram.
  • It enables cybercriminals to steal Microsoft 365 OAuth tokens, bypassing MFA and gaining persistent access to accounts.

AI-generated summary

Why It Matters

Kali365 is a Phishing-as-a-Service platform that emerged in April 2026, primarily distributed via Telegram. It allows cyber threat actors to steal Microsoft 365 OAuth tokens and bypass multi-factor authentication.

Font size

The Federal Bureau of Investigation (FBI) issued a Public Service Announcement (PSA), warning the public about an emerging Phishing1-as-a-Service2 (PhaaS) platform called Kali365.

First seen in April 2026, Kali365 has primarily been distributed via Telegram, enabling cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting the user's credentials.

As stated in the FBI warning, cyber threat actors can capture "OAuth" tokens through the Kali365 platform subscription and gain persistent access to targeted individuals/entities' Microsoft 365 environments.

“Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” it said.

How the Kali365 scam works

As explained by FBI, cyber attackers deploy following tactics to lure citizens through the Kali365 subscription:

Lure: An attacker sends a phishing email impersonating trusted cloud productivity and document-sharing services. This phishing email contains a device code with instructions to visit a legitimate Microsoft verification page and enter the code.

Authorization: The targeted individuals/entities navigate to the real Microsoft page and pastes in the device code, unknowingly authorizing the attacker's device to access their account.

Token Theft: The attacker captures OAuth access and refresh tokens, granting them access to the targeted individuals/entities' Microsoft 365 account.

Persistence: The attacker can now access Microsoft 365 services such as Outlook, Teams, and OneDrive without needing a password or completing any additional MFA challenges.

Tips to protect yourself

FBI has also shared a list of security tips that one can take to avoid falling for the Kali365 scam. These are:

Restricting device code flow to limit or block device authentication codes can help prevent or limit this style of attack.

Create a conditional access policy to block device code flow for all users, with limited exceptions for required business processes.

Audit existing device code flow usage to identify legitimate dependencies before creating a conditional access policy.

Block authentication transfer policies to prevent users from transferring authentication from computers to mobile devices.

If you cannot completely restrict device code flow usage, exclude emergency access accounts to prevent lockouts.

“If you or someone you know has been impacted by the Kali365 Phishing kit, file a complaint with the Internet Crime Complaint Center (IC3) at www.ic3.gov. Be sure to include any available information, such as:

Any phishing emails (email header, body)

Suspicious logins (time, IP address, location)

Any unauthorized devices or active sessions added to the account,” the FBI said.

Open Questions

  • How many users have been affected by Kali365?
  • What is the origin of the Kali365 platform?
  • Will Microsoft release specific patches for this threat?

Related Topics

This article was originally published by Times of India.

Related Stories

More on this topicFBI