What Is Kali365? FBI Warns Of Telegram-Based Phishing Service Targeting Microsoft 365 Users

Washington: Be ware if you are using Microsoft 365 suite! The Federal Bureau of Investigation (FBI) has issued a warning about a newly discovered cybercrime platform known as Kali365, a phishing-as-a-service (PhaaS) tool that is being used to compromise Microsoft 365 accounts while bypassing multi-factor authentication (MFA). The platform, first identified in April 2026, is reportedly being distributed through Telegram channels and is designed to make sophisticated phishing attacks accessible even to less experienced cybercriminals. 

What Is Kali365?

Kali365 operates as a subscription-based cybercrime service that enables threat actors to launch automated phishing campaigns aimed primarily at Microsoft 365 users. According to the FBI, the platform offers a range of ready-made tools, including AI-generated phishing messages, campaign automation features, real-time monitoring dashboards, and capabilities to capture OAuth access tokens. These tools significantly reduce the technical expertise required to conduct large-scale phishing operations. 

How does the Attack Work ?

The FBI has outlined a multi-step process used by attackers leveraging Kali365.

The attack begins with a phishing email that appears to come from a trusted cloud service or document-sharing platform. The message includes a device code and instructions directing the recipient to a legitimate Microsoft login page. 

Once the user enters the device code, they unknowingly authorize an attacker-controlled device. Instead of stealing passwords, the attackers capture OAuth access and refresh tokens, which provide authenticated access to the victim’s Microsoft 365 account. 

Using these tokens, cybercriminals can access services such as Outlook, Teams, and OneDrive without needing passwords or additional MFA verification, allowing them to maintain access for extended periods. 

Security Experts Are Concerned

Unlike conventional phishing attacks that focus on stealing passwords, Kali365 exploits Microsoft’s device code authentication process and OAuth token system. As a result, attackers can bypass MFA protections and retain access even if a victim later changes their password. This makes both detection and remediation more challenging for users and IT teams. 

Security researchers note that the rise of phishing-as-a-service platforms reflects a broader trend in cybercrime, where advanced hacking tools are increasingly packaged into easy-to-use subscription services. 

FBI’s Recommended Safeguards

To reduce exposure to the threat, the FBI has advised organizations to strengthen Microsoft 365 security controls. Recommended measures include restricting or disabling device-code authentication where possible, implementing stricter conditional access policies, reviewing device-code usage, and preventing unauthorized authentication transfers between devices. Organizations are also encouraged to continuously monitor login activity and suspicious account sessions. 

Reporting Suspected Incidents

The FBI has requested that individuals and organizations affected by Kali365-related attacks report incidents to the Internet Crime Complaint Center (IC3). By reporting to the website – www.ic3.gov you can simply get you worry rest. Reports should include phishing email details, suspicious login information, IP addresses, timestamps, and any evidence of unauthorized device or session activity. 

Also Read: Desert Region Soaked by 96% Excess Rain as India Faces Severe Monsoon Shortfall