Skip to main content
Emerging ThreatsMalware & Ransomware

FBI Warns of Kali365 Phishing Kit's OAuth Token Heist

Modern office setting with laptop and smartphone on a tidy desk, hinting at a cyber threat.

First detected in April 2026, Kali365 is a new phishing-as-a-service platform that lets even low-skilled attackers capture Microsoft 365 OAuth tokens and bypass multifactor authentication, the FBI warned in an advisory published on May 21.

What Kali365 offers to criminals

The FBI describes Kali365 as a subscription-based PhaaS platform distributed primarily via Telegram. According to the advisory, Kali365 supplies threat actors with AI-generated phishing lures, automated campaign templates and real-time targeted individual and entity tracking dashboards. Through the platform, actors can capture OAuth access and refresh tokens for Microsoft 365 accounts and, the FBI says, gain persistent access to targeted individuals’ or entities’ Microsoft 365 environments.

The attack chain the FBI laid out

The advisory sets out a straightforward social-engineering sequence. An attacker sends a phishing email impersonating trusted cloud productivity and document-sharing services. The email contains a device code and instructs the recipient to visit a legitimate Microsoft verification page and enter the code. Victims who follow those instructions paste the device code into the real Microsoft page, unknowingly authorizing the attacker’s device to access their account. The attacker then captures OAuth access and refresh tokens and uses them to access Microsoft 365 services such as Outlook, Teams and OneDrive.

How token capture defeats MFA without stealing passwords

Crucially, the FBI’s advisory notes that Kali365-enabled actors can bypass multifactor authentication without intercepting the user’s credentials. By capturing OAuth access and refresh tokens, an attacker can access Microsoft 365 services without a password and without completing any additional MFA challenges, allowing them to establish persistence in the compromised account.

FBI-recommended mitigations

To blunt Kali365-style campaigns, the FBI recommends technical and policy controls that focus on the device code flow and authentication transfer behavior. The advisory’s specific recommendations are:

  • Restrict device code flow to limit or block device authentication codes
  • Create a conditional access policy to block device code flow for all users, with limited exceptions for required business processes
  • Block authentication transfer policies to prevent users from transferring authentication from computers to mobile devices
  • Exclude emergency access accounts to prevent lockouts

How technologists, enterprises, and end users are affected

Technologists and security teams will need to consider the controls the FBI lists: restricting the device code flow and implementing conditional access policies that block that flow for most users. Those actions are presented in the advisory as direct countermeasures to the mechanism Kali365 exploits.

Affected enterprises and procurement leaders should note the advisory’s assessment that Kali365 is a subscription PhaaS distributed mainly via Telegram and that it supplies automated templates and tracking dashboards; the implication in the advisory is that relatively unsophisticated actors can run persistent campaigns. That dynamic bears on decisions about vendor controls, account configuration and emergency-access account handling.

End users and the general public are called out indirectly by the advisory’s description of the social-engineering step: victims are asked to paste a device code into a legitimate Microsoft verification page. The FBI’s account makes clear that following those instructions is the critical moment that grants the attacker token-based access.

The FBI’s advisory frames Kali365 not as a high-skill bespoke tool but as a service that couples automated phishing content with a practical route to bypass MFA through OAuth token capture. The recommended defensive steps focus tightly on the device-code mechanism and authentication transfer behavior—the specific controls that, according to the advisory, block the technique Kali365 exploits.

Original story