Cybersecurity risks tied to Microsoft 365 accounts have escalated sharply after the FBI issued a new warning about a rapidly spreading phishing platform known as Kali365, which is being used to hijack Outlook, Teams, and OneDrive accounts by bypassing multi-factor authentication (MFA).
The advisory, detailed in an FBI Internet Crime Complaint Center advisory, highlights how attackers are no longer relying on stolen passwords alone. Instead, they are exploiting legitimate Microsoft login processes to gain long-term access to corporate and personal accounts.
New Phishing-as-a-Service Tool Lowers Barrier for Cybercriminals
According to the FBI, Kali365 is a Phishing-as-a-Service (PhaaS) platform that has been circulating through Telegram-based underground channels since April 2026. It allows even low-skilled attackers to launch advanced phishing campaigns using ready-made tools, automated templates, and AI-generated lures.
The FBI has warned that this shift represents a broader trend in cybercrime where subscription-based attack kits are making sophisticated intrusions widely accessible.
How Kali365 Bypasses MFA Protections
Unlike traditional phishing scams that trick users into entering passwords on fake websites, Kali365 uses a more advanced method based on Microsoft’s OAuth 2.0 device code authentication flow. The attack abuses legitimate authentication mechanisms rather than exploiting software vulnerabilities, a tactic increasingly associated with Microsoft security OAuth device code guidance discussions.
In these attacks, victims receive messages impersonating trusted services such as Teams or SharePoint. They are instructed to visit a legitimate Microsoft login page and enter a short device code.
Once the victim completes this action, the attacker is granted OAuth access and refresh tokens. These tokens allow persistent access to the victim’s Microsoft 365 account without needing a password or triggering repeated MFA prompts. Security researchers have increasingly categorized such techniques as sophisticated OAuth phishing attack methods that exploit trust in legitimate authentication systems.
The FBI warns that this method can result in long-term account compromise until the stolen tokens are revoked manually or expire.
Outlook, Teams, and OneDrive at Risk
Once attackers gain access, they can move laterally across Microsoft services including:
- Outlook email inboxes
- Microsoft Teams conversations and file sharing
- OneDrive and SharePoint cloud storage
This enables cybercriminals to not only steal sensitive data but also use compromised accounts to launch further phishing attacks inside organizations. Recent Microsoft Exchange zero-day attacks have further highlighted the growing risks facing organizations that depend heavily on Microsoft’s communications ecosystem.
Security experts say the most dangerous aspect of the campaign is persistence, since attackers can maintain access even after password resets if tokens remain valid.
FBI and Security Experts Issue Mitigation Advice
The FBI has urged both individuals and organizations to take immediate steps to reduce exposure. Recommended measures include restricting device code authentication, implementing conditional access policies, and auditing OAuth token activity.
Cybersecurity analysts also recommend deploying Security Information and Event Management (SIEM) systems capable of detecting abnormal authentication behavior tied to token theft. Organizations seeking stronger Microsoft Entra identity protection controls are being encouraged to review authentication policies and token management practices.
Experts further warn that enterprises using Microsoft 365 should treat OAuth token security as critically as password protection, given the rise of MFA-bypassing techniques. The broader landscape of Microsoft cybersecurity news continues to show attackers shifting toward identity-focused attacks rather than conventional malware campaigns.
A Growing Phishing Economy on Telegram
Kali365 is part of a broader underground ecosystem where phishing tools are sold as subscriptions. These platforms often include dashboards for tracking victims, automated phishing templates, and real-time credential harvesting tools.
Researchers say this model has transformed phishing from a manual scam into a scalable cybercrime industry, with tools becoming increasingly affordable and easy to deploy. Similar trends have been tracked through the Microsoft security blog, which has documented the evolution of identity-based attacks targeting cloud services.
The FBI has emphasized that this trend represents a major escalation in cyber threats targeting cloud-based productivity platforms used globally across businesses and government agencies. Ongoing cybercrime investigations continue to reveal how phishing-as-a-service operations are becoming one of the fastest-growing segments of the underground economy.
Why This Attack Matters
Microsoft 365 remains one of the most widely used enterprise productivity suites in the world, making it a high-value target for attackers.
With organizations increasingly dependent on cloud collaboration tools, successful account compromise can lead to data theft, financial fraud, and large-scale business email compromise attacks. The FBI and security experts warn that organizations should treat identity security as a frontline defense layer as attackers increasingly focus on exploiting trusted authentication workflows instead of breaking into systems through traditional methods.
Authorities continue to monitor the spread of Kali365 and similar phishing platforms as part of broader efforts to disrupt cybercriminal infrastructure targeting organizations around the world.
