FBI warns of Kali365 phishing-as-a-service after April Microsoft 365 attacks

Cybercriminals are using a new, easy-to-use service to trick people into giving them access to their Microsoft 365 accounts, according to the FBI.

The law enforcement agency published an advisory on Thursday about Kali365 — a Telegram-based service for cybercriminals that allows them to capture legitimate "OAuth" tokens enabling widespread access to Microsoft 365 environments. 

Multiple cybersecurity companies warned last month that they were seeing hundreds of attacks enabled by Kali365. The tool, which the FBI referred to as a Phishing-as-a-Service platform, “lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities.”

“First seen in April 2026. Kali365 has primarily been distributed via Telegram, enabling cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting the user's credentials,” the FBI said. 

Hackers send a phishing email to victims impersonating trusted cloud productivity and document-sharing services that contain codes and instructions to visit legitimate Microsoft verification pages.

When the person goes to the page and enters the code, they unknowingly authorize the attacker's device to access their account, the FBI explained. With the OAuth access and refresh tokens, the hackers now can access Microsoft 365 services like Outlook, Teams and OneDrive without needing a password or additional verification. 

Throughout April, cybersecurity firms released warnings about hundreds of attacks involving hackers using Kali365 and other phishing-as-a-service platforms that enabled the same type of campaigns.

Cybersecurity firms Proofpoint, IBM and Huntress all noted in their own reports that there are multiple services akin to Kali365 that offer similar capabilities. 

Incident responders at Arctic Wolf said they dealt with a large campaign of attacks enabled by Kali365 in April. Instead of stealing credentials, cybercriminals simply initiated device login requests and tricked victims into completing the authorization on their behalf, Arctic Wolf said. 

“The campaign relied on high‑fidelity lures directing victims to Microsoft’s legitimate device login flow, where users unknowingly authorized threat actor‑initiated sessions,” Arctic Wolf said. 

“Captured OAuth access and refresh tokens enabled immediate mailbox access and post‑compromise activity. In select cases, threat actors established malicious inbox rules to suppress security notifications, extending dwell time and reducing user awareness.”

The company gained access to the Kali365 system, finding that it offered three tiers and ranged in cost from $250 for 30 days to $2,000 for 365 days.

The platform allows cybercriminals to generate branded phishing lures using well-known services like Adobe, DocuSign and SharePoint. It offers lures in dozens of languages, layouts and design themes.

HTML phishing pages are generated and the platform also creates phishing emails for its users. Kali365 even offers users a downloadable desktop version. 

Once victims are tricked, the OAuth access and refresh tokens are captured and stored by the Kali365 platform. They can be shared with others and reused. 

“These tokens provide immediate and persistent access to Microsoft 365 services and enable a full post‑compromise workflow, including mailbox access, contact harvesting, lateral phishing, keyword monitoring for business email compromise, and administrative actions if the captured token corresponds to a Microsoft 365 account with sufficient privileges,” Arctic Wolf explained. 

Cybersecurity experts said Kali365 is another example of how the cybercriminal ecosystem is professionalizing and dispersing as less skilled actors get involved. On Tuesday, Microsoft disrupted another “as-a-service” cybercriminal tool that abused legitimate services to enable the delivery of malware.