FBI Warns ‘Kali365’ Phishing Kit Hijacks Microsoft 365 OAuth Tokens

FBI Warns ‘Kali365’ Phishing Kit Hijacks Microsoft 365 OAuth Tokens

By Kevin Poireault
Publication Date: 2026-05-25 09:30:00

A new phishing-as-a-service (PhaaS) platform called Kali365 is being distributed in the wild, primarily via Telegram, the FBI has warned.

First detected in April 2026, Kali365 provides cyber threat actors access to AI-generated phishing lures, automated campaign templates real-time targeted individual and entity tracking dashboards.

It also enables technically low-level individuals to capture OAuth tokens – Microsoft 365 access tokens – and bypass multifactor authentication (MFA) protocols without intercepting the user’s credentials.

Through the Kali365 platform subscription, cyber threat actors can gain persistent access to targeted individuals/entities’ Microsoft 365 environments.

Kali365 Attack Chain

In a typical attack chain, detailed by the FBI in an advisory published on May 21, an attacker initiates the scam by sending a phishing email that impersonates trusted cloud productivity and document-sharing services.

This email contains a device code along with…