Loading article…
FBI alerts that the Kali365 phishing‑as‑a‑service kit can hijack Microsoft 365 accounts, bypass MFA and steal OAuth tokens. Learn the threat details and
A new phishing‑as‑a‑service platform called Kali365 lets attackers hijack Microsoft 365 accounts, steal OAuth tokens and bypass multi‑factor authentication, the FBI warned in a public service announcement [1]. The scheme gives low‑skill hackers AI‑generated lures and live‑tracking tools, expanding the pool of actors able to access Outlook, Teams and OneDrive without a password.
| At a glance | |
|---|---|
| Threat name | Kali365 phishing‑as‑a‑service |
| First seen | April 2026 (distributed via Telegram) |
| Core capability | Capture OAuth tokens to bypass MFA |
| FBI recommendation | Block device‑code sign‑ins and auth transfers |
Kali365 operates on a subscription model that provides ready‑made phishing templates, AI‑crafted emails and a dashboard that tracks successful credential grabs [4]. The attack starts with a spoofed email that appears to come from a trusted cloud or document‑sharing service and includes a device code. Victims are directed to a legitimate Microsoft verification page, where entering the code unknowingly authorizes the attacker’s device. The attacker then captures the OAuth token—essentially a digital key that keeps the user logged into Microsoft services—allowing persistent access without triggering additional MFA prompts [1][4].
The FBI advises organizations to limit or block the use of device authentication codes, which the scam exploits, and to prevent authentication transfers between computers and mobile devices [1]. If disabling the feature entirely would lock out emergency accounts, the agency suggests creating exceptions only for essential users and ensuring a backup account can restore access if needed. Reports of suspected attacks should be filed with the Internet Crime Complaint Center, including phishing emails, login timestamps and IP addresses [1].
By packaging sophisticated token‑stealing tools into a low‑cost subscription, Kali365 lowers the barrier to entry for cybercrime, potentially increasing the volume of Microsoft 365 account takeovers [4]. Enterprises that rely heavily on Microsoft 365 for collaboration may face higher exposure to data exfiltration and operational disruption, especially if they continue to allow device‑code sign‑ins. The FBI’s alert underscores a broader trend of “phishing‑as‑a‑service” platforms that automate social engineering, a shift that could pressure cloud providers to tighten token‑issuance controls.
The FBI’s warning highlights a growing vulnerability in the OAuth token model that underpins Microsoft 365’s convenience features. Whether Microsoft can adapt its authentication flow quickly enough to blunt this threat will shape the security landscape for cloud‑based productivity suites.
Coverage is mostly measured — 38 of 38 reports stay neutral.
Every Monday — the token unlocks, Fed dates & catalysts set to move crypto and markets this week. So you’re never blindsided.
Free · 3-min read · one-click unsubscribe
AI-assisted synthesis by the TrendWatcher Editorial Desk · sourced from 4 outlets · Jun 28, 2026 · How we report
Microsoft said the ratio is based on affiliate link data and does not represent actual pre‑order numbers, urging people to wait for real sales data.
The FBI reported that Kali365 was first seen in April 2026.
It tricks users into approving a device‑code request on a legitimate Microsoft verification page, allowing attackers to capture OAuth tokens without needing the password or additional MFA prompts.
Microsoft advises following FBI recommendations, keeping MFA enabled, reviewing account activity, revoking suspicious sessions, and possibly restricting the device‑code flow via conditional access policies.
The sources indicate that reports of a physical disc version are unconfirmed and that Rockstar’s communication has been misinterpreted, with no official confirmation of a disc release.