The FBI has issued an urgent warning about a rapidly spreading cybercrime platform known as Kali365, a “phishing-as-a-service” toolkit that enables criminals to hijack Microsoft 365 accounts while bypassing multi-factor authentication protections. Unlike traditional phishing attacks that focus on stealing passwords, Kali365 exploits Microsoft’s legitimate OAuth device-code authentication process, tricking users into authorizing an attacker’s device through a real Microsoft login page. Once victims enter a code supplied in a phishing email, hackers can obtain access tokens that grant persistent access to Outlook, Teams, OneDrive, and other Microsoft services without ever knowing the user’s password. Federal authorities say the platform lowers the technical barrier for cybercriminals by providing AI-generated phishing lures, automated campaign tools, and real-time monitoring dashboards, making advanced attacks accessible even to relatively inexperienced bad actors. The warning underscores the continuing evolution of cyber threats, demonstrating that convenience features and trusted authentication systems can become powerful attack vectors when exploited through social engineering.
Sources
- https://nypost.com/2026/05/28/business/fbi-sounds-alarm-on-phishing-tool-that-steals-microsoft-365-accounts
- https://www.ic3.gov/PSA/2026/PSA260521
- https://www.techradar.com/pro/security/fbi-warns-of-kali-phishing-scam-hitting-microsoft-oauth-tokens-warns-kali365-lowers-the-barrier-of-entry-providing-less-technical-attackers-access-to-ai-generated-phishing-lures
- https://www.itpro.com/security/fbi-warns-microsoft-365-users-about-another-phishing-as-a-service-attack-heres-how-to-avoid-it
Key Takeaways
- The Kali365 platform allows attackers to bypass multi-factor authentication by stealing OAuth access tokens rather than passwords.
- The service is being marketed through Telegram and provides automated phishing tools, AI-generated lures, and victim-tracking dashboards that make sophisticated cyberattacks available to low-skill criminals.
- The threat highlights a growing reality in cybersecurity: even strong authentication measures can be undermined when users are manipulated into voluntarily authorizing access through legitimate systems.
In-Depth
The FBI’s warning about Kali365 should serve as a reminder that cybersecurity threats are evolving faster than many organizations are prepared to handle. For years, businesses and government agencies have pushed users toward multi-factor authentication as a critical defense against account compromise. That strategy remains important, but Kali365 demonstrates that determined criminals are increasingly targeting the human element rather than the technology itself.
The attack exploits Microsoft’s legitimate device-code authentication system, a feature designed to help users log into devices that lack full keyboards or traditional login interfaces. Rather than cracking passwords or breaching security systems, attackers simply convince victims to participate in the compromise themselves. By persuading users to enter a supplied code on a legitimate Microsoft page, criminals receive authorization tokens that provide ongoing access to accounts and cloud resources.
What makes this development particularly troubling is the democratization of sophisticated cybercrime. In the past, launching advanced phishing campaigns required substantial technical expertise. Kali365 packages those capabilities into a subscription service complete with automated templates, AI-generated content, and management dashboards. The result is a dramatically expanded pool of potential attackers.
From a policy perspective, the rise of platforms like Kali365 exposes a broader challenge facing modern digital infrastructure. Security systems have become increasingly dependent on user behavior and trust. While technology providers continue adding layers of protection, criminals are adapting by exploiting legitimate workflows and authentication mechanisms rather than attacking the underlying software itself.
For businesses, the lesson is clear: cybersecurity can no longer rely solely on passwords and multi-factor authentication. Employee education, strict access controls, continuous monitoring, and rapid incident response capabilities are becoming equally important. As cybercriminals industrialize their operations and leverage artificial intelligence to improve effectiveness, organizations that fail to adapt risk finding that yesterday’s best practices are no longer sufficient to stop tomorrow’s attacks.