The recently discovered cybercrime platform, Kali365, is being utilized by attackers to access Microsoft services including Outlook, Teams, and OneDrive.
What is Kali365?
Kali365 is a subscription-based cybercrime platform that facilitates attackers in launching automated phishing campaigns targeting cloud services, particularly Microsoft 365 accounts.
In a public advisory, the agency explained that Kali365 is an emerging ‘Phishing-as-a-Service’ (PhaaS) platform that enables “cyber threat actors to acquire Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting user credentials.”
This platform was first detected in April 2026 and is reportedly being disseminated via Telegram.
The FBI noted that Kali365 allows cybercriminals to capture OAuth access tokens, providing persistent access to Microsoft 365 accounts. The scam generally initiates with a phishing email that mimics a document-sharing service.
“Kali365 lowers the entry barrier, giving less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” the FBI stated in the Public Service Announcement (PSA).
A report from The Hill indicates that the platform costs scammers a monthly fee of $250. Microsoft has urged users to comply with the FBI’s recommendations. In a discussion with The Hill, a
Microsoft spokesperson mentioned, “More broadly, Microsoft actively works to disrupt the cybercriminal ecosystems behind phishing-as-a-service and account takeover activities to safeguard our customers.”
How the Kali365 scam worksPhishing email: Attackers initiate their approach by sending phishing emails that seem to originate from trusted cloud productivity or document-sharing services. These emails contain a device authentication code and instructions guiding users to a legitimate Microsoft verification page.
Users unknowingly grant access: Victims are prompted to enter the provided code on the authentic Microsoft page. By doing this, they inadvertently authorize the attacker’s device to access their Microsoft 365 account.
Access tokens are stolen: Once authorization is granted, attackers capture OAuth access and refresh tokens, allowing them to take control of the targeted account.
Continued access without passwords: Cybercriminals can access Microsoft services such as Outlook, Teams, and OneDrive without needing the user’s password or completing any additional multi-factor authentication (MFA) checks.
How users can protect themselves
The FBI recommended that users and organizations limit or block the use of device authentication codes to mitigate the risk of such attacks. It also advised organizations to disable device code authentication for the majority of users wherever feasible, while allowing exceptions for critical business operations.
The agency further suggested reviewing current use of device authentication codes, restricting the transfer of authentication between devices, and ensuring that emergency access accounts remain exempt from restrictions to prevent lockouts.
What to do if you are targeted
Anyone impacted by the Kali365 phishing kit should report their experience to the FBI’s Internet Crime Complaint Center (IC3). Users are encouraged to include relevant information, such as phishing emails, suspicious login attempts (time, IP address, location), and any unauthorized devices or active sessions linked to their accounts.
