1 hour ago
18
The FBI is warning that Kali365 Microsoft 365 phishing attacks are making it easier for criminals to break into business accounts without stealing a password in the usual way. The threat centers on a phishing kit called Kali365, sold on Telegram, that targets Microsoft 365 OAuth tokens and can bypass multi-factor authentication.
That matters because the scheme leans on something users are trained to trust: legitimate Microsoft pages. Instead of pushing victims to a fake login screen, attackers trick them into entering a device code on a real Microsoft verification page. In that moment, the victim may think they are confirming access for themselves. In reality, they are authorizing the attacker.
Once that happens, the fallout can spread across the tools many companies use every day. The FBI said attackers can gain access to Microsoft 365 services including Outlook, Teams, and OneDrive, turning a single successful phishing attempt into broader account access.
What the FBI is warning about
The core alert is straightforward: the FBI warned of a phishing kit called Kali365.
According to the warning, Kali365 is sold on Telegram and is designed to steal Microsoft 365 OAuth tokens. The FBI also said the kit lowers the barrier to entry, meaning less-technical attackers can use it to carry out account compromise campaigns that once required more skill.
That is a notable shift. When phishing tools become packaged, sold, and easy to use, the threat no longer depends only on advanced operators. It becomes more scalable. A wider pool of attackers can run the same playbook against employees, contractors, and organizations that rely on Microsoft 365 every day.
This is one reason the Kali365 Microsoft 365 phishing threat stands out. It is not just about one tool circulating online. It is about the industrialization of phishing tactics around cloud identity and session access.
How Kali365 tricks Microsoft 365 users
Kali365 is built to steal Microsoft 365 OAuth tokens and bypass MFA, according to the FBI warning. That makes it different from older phishing setups that focused mainly on harvesting usernames, passwords, and one-time codes.
Instead, the attackers abuse device code flow. Victims are lured into entering device codes on legitimate Microsoft pages. Because the page is real, the interaction can feel routine and safe, which is exactly what makes the technique dangerous.
After the code is entered, the victim unknowingly authorizes attacker access to their Microsoft 365 environment. The FBI said that can give the attacker access to services such as:
- Outlook
- Teams
- OneDrive
In practice, that means a successful attack can move quickly from a single user action to persistent access through OAuth access tokens and OAuth refresh tokens. For defenders, this is a reminder that MFA alone does not stop every account takeover path if attackers can trick users into granting access through approved workflows.
That is the deeper issue behind Kali365 Microsoft 365 phishing campaigns. They exploit trust in legitimate authentication steps, not just fear or urgency in a fake email. For security teams, that changes the response. Training users to avoid suspicious links still matters, but identity controls and policy settings become just as important.
How to reduce exposure
The FBI warning points to several mitigation steps, with two standing out as especially important: restricting device code flow and enforcing conditional access policies.
Those controls matter because the attack depends on a victim being able to complete that device authorization process. Tightening how device code flow is used can reduce the number of opportunities attackers have to abuse it. Conditional access policies can add guardrails around who gets access and under what conditions.
Additional steps cited in the warning include auditing existing code flow usage and blocking authentication transfer policies.
For organizations using Microsoft 365, the message is clear: identity security now has to account for token theft and consent-based abuse, not just password theft. The Kali365 Microsoft 365 phishing threat shows how modern phishing keeps evolving around the tools people already trust, and why administrators who treat device code flow as a niche feature may need to look at it much more closely.
English (US) ·