FBI Warns of Kali365 Attacks Targeting Microsoft 365 Users to Steal Logins

FBI and multiple security sources warn that the new Kali365 Phishing-as-a-Service (PhaaS) kit is enabling large-scale token-theft attacks against Microsoft 365 users.

According to the FBI’s Internet Crime Complaint Center (IC3), Kali365 was first observed in April 2026 and is being distributed primarily via Telegram channels favored by cybercriminals.

The platform is designed to steal Microsoft 365 OAuth access and refresh tokens, enabling attackers to access Outlook, Teams, OneDrive, and other services without needing user passwords or additional MFA prompts.

Kali365 operates on a subscription-based PhaaS model, mirroring earlier kits such as Raccoon0365 that sold turnkey phishing infrastructure to low-skilled attackers targeting Microsoft 365 tenants worldwide.

This “phishing kit economy” significantly lowers the barrier of entry by abstracting away infrastructure, templates, and token handling for customers.

The FBI notes that Kali365 campaigns typically start with phishing emails impersonating trusted cloud productivity or document-sharing services and include a “device code” with instructions directing users to a legitimate Microsoft verification page.

Victims then navigate to the real Microsoft site and paste in the provided code, unknowingly authorizing the attacker’s device via the OAuth device code flow.

Once the authorization completes, the attacker captures OAuth access and refresh tokens, granting persistent access to the victim’s Microsoft 365 tenant.

Similar to other token-focused kits described by commercial security researchers, Kali365’s approach effectively decouples account takeover from credential theft, allowing attackers to reuse authenticated sessions even when MFA is enforced.

IC3 reporting and social media posts from the FBI Cyber Division highlight that Kali365 includes AI-generated phishing lures, automated campaign templates, real-time tracking dashboards, and integrated token capture logic.

These features let non-technical actors orchestrate coordinated campaigns with professional-looking emails and centralized victim monitoring.

Security vendors tracking related phishing ecosystems note that PhaaS offerings such as Kali365 and Raccoon0365 provide continuous updates to evasion techniques, including improved brand impersonation and anti-analysis measures.

The FBI urges organizations to restrict or block the OAuth device code flow where possible by implementing Conditional Access policies in Microsoft Entra ID, while auditing existing usage to avoid disrupting legitimate workflows.

Administrators are further advised to block authentication transfer policies, limit session transfer between devices, and exclude designated break-glass accounts from blanket restrictions to prevent lockouts.

CISA’s phishing guidance recommends reinforcing user awareness of device-code and OAuth consent scams, deploying advanced anti-phishing controls in Microsoft Defender for Office 365, and enabling token protection to bind tokens to specific devices.

Victims of Kali365 or similar phishing incidents are encouraged to report to IC3 at ic3.gov with email artifacts, suspicious login data, and details of unauthorized devices or sessions to support law enforcement investigations.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post FBI Warns of Kali365 Attacks Targeting Microsoft 365 Users to Steal Logins appeared first on Cyber Security News.