The FBI has issued a Public Service Announcement warning about Kali365, an emerging Phishing-as-a-Service (PhaaS) platform first observed in April 2026. Primarily distributed through Telegram, Kali365 enables cybercriminals— even those with limited technical skills—to obtain Microsoft 365 OAuth access tokens and bypass multi-factor authentication (MFA) without stealing user credentials.

Subscribers gain access to AI-generated phishing lures, automated campaign templates, real-time tracking dashboards, and tools for capturing OAuth tokens, which grant persistent access to victims’ Microsoft 365 environments (including Outlook, Teams, and OneDrive).
The attack works as follows: Threat actors send phishing emails impersonating trusted cloud services. The email contains a device code and directs the recipient to a legitimate Microsoft verification page to enter it. When the user complies, they unknowingly authorize the attacker’s device, allowing the attacker to capture OAuth access and refresh tokens. This provides ongoing account access without needing the victim’s password or further MFA prompts.

To protect against this threat, organizations and users should restrict or block the device code authentication flow through conditional access policies (with limited exceptions for necessary business processes), audit existing usage beforehand, and block authentication transfer policies that allow moving sessions between devices. Emergency access accounts should be excluded if full restrictions are not feasible.
The FBI encourages anyone impacted by Kali365 or similar phishing kits to report the incident to the Internet Crime Complaint Center (IC3) at www.ic3.gov, including phishing emails, suspicious login details, and unauthorized sessions. Additional guidance is available in CISA’s Phishing Guidance: Stopping the Attack Cycle at Phase One.