{"id":13071,"date":"2026-05-22T10:03:40","date_gmt":"2026-05-22T10:03:40","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/22\/fbi-warns-of-kali365-attacking-microsoft-365-users-to-steal-logins-and-bypass-mfa\/"},"modified":"2026-05-22T10:03:40","modified_gmt":"2026-05-22T10:03:40","slug":"fbi-warns-of-kali365-attacking-microsoft-365-users-to-steal-logins-and-bypass-mfa","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/22\/fbi-warns-of-kali365-attacking-microsoft-365-users-to-steal-logins-and-bypass-mfa\/","title":{"rendered":"FBI Warns of Kali365 Attacking Microsoft 365 Users to Steal Logins and Bypass MFA"},"content":{"rendered":"<p>    FBI Warns of Kali365 Attacking Microsoft 365 Users to Steal Logins and Bypass MFA<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">The FBI has issued a new cybersecurity warning about a rapidly emerging <a href=\"https:\/\/cybersecuritynews.com\/phishing-as-a-service-the-rise-of-subscription-based-cybercrime\/\" target=\"_blank\" rel=\"noreferrer noopener\">phishing-as-a-service (PhaaS)<\/a> platform named Kali365, which is actively targeting Microsoft 365 users to steal access tokens and bypass multi-factor authentication (MFA).<\/p>\n<p class=\"wp-block-paragraph\">Kali365 is being distributed primarily through Telegram channels, where threat actors can subscribe to the service and launch phishing campaigns with minimal technical knowledge.<\/p>\n<p class=\"wp-block-paragraph\">Unlike traditional credential-harvesting attacks, Kali365 focuses on capturing OAuth tokens, enabling attackers to gain <a href=\"https:\/\/cybersecuritynews.com\/oauth-device-code-phishing-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">persistent access to Microsoft 365 accounts<\/a> without requiring usernames, passwords, or MFA codes.<\/p>\n<p class=\"wp-block-paragraph\">The platform includes several built-in features that lower the barrier to entry for attackers:<\/p>\n<ul class=\"wp-block-list\">\n<li>AI-generated phishing email templates impersonating trusted services.<\/li>\n<li>Automated campaign deployment tools.<\/li>\n<li>Real-time dashboards to track victims.<\/li>\n<li>\n<a href=\"https:\/\/cybersecuritynews.com\/ongoing-campaign-targets-microsoft-365\/\" target=\"_blank\" rel=\"noreferrer noopener\">OAuth token<\/a> capture mechanisms.<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">This combination enables even low-skilled attackers to execute sophisticated phishing campaigns at scale.<\/p>\n<h2 id=\"h-kali365-phaas-targets-microsoft-365\" class=\"wp-block-heading\">\n<strong>Kali365 PhaaS<\/strong> <strong>Targets Microsoft 365<\/strong><br \/>\n<\/h2>\n<p class=\"wp-block-paragraph\">The Kali365 attack leverages Microsoft\u2019s legitimate device code authentication flow to trick users into authorizing malicious access.<\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>Lure:<\/strong> Victims receive phishing emails that appear to be from Microsoft or document-sharing platforms. These emails include a device code and instructions.\n<\/li>\n<li>\n<strong>Authorization:<\/strong> The victim is directed to a legitimate Microsoft verification page and asked to enter the provided code.\n<\/li>\n<li>\n<strong>Token Theft:<\/strong> By entering the code, the user unknowingly authorizes the attacker\u2019s session, allowing them to capture OAuth access and refresh tokens.\n<\/li>\n<li>\n<strong>Persistence:<\/strong> Attackers can then <a href=\"https:\/\/cybersecuritynews.com\/microsoft-365-services-and-copilot-outage\/\" target=\"_blank\" rel=\"noreferrer noopener\">access services like Outlook, Teams, and OneDrive<\/a> without triggering MFA again.<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">This technique is particularly dangerous because it exploits legitimate authentication workflows, making detection more difficult.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Today the FBI released a <a href=\"https:\/\/twitter.com\/hashtag\/PSA?src=hash&amp;ref_src=twsrc%5Etfw\">#PSA<\/a> warning the public about Kali365\u2014an emerging Phishing-as-a-Service (PhaaS) platform. Kali365, first seen in April 2026, enables cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without\u2026 <a href=\"https:\/\/t.co\/AalckpLVHG\">pic.twitter.com\/AalckpLVHG<\/a><\/p>\n<p>\u2014 FBI Cyber Division (@FBICyberDiv) <a href=\"https:\/\/twitter.com\/FBICyberDiv\/status\/2057567340401705090?ref_src=twsrc%5Etfw\">May 21, 2026<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.ic3.gov\/PSA\/2026\/PSA260521\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Tracked under Alert Number I-052126-PSA <\/a>and first observed in April 2026, the platform is gaining traction among cybercriminals due to its ease of use and advanced capabilities.<\/p>\n<p class=\"wp-block-paragraph\">Once access is gained, attackers can:<\/p>\n<ul class=\"wp-block-list\">\n<li>Read and exfiltrate emails.<\/li>\n<li>Access sensitive files stored in OneDrive.<\/li>\n<li>Monitor communications via Teams.<\/li>\n<li>Maintain long-term persistence using refresh tokens.<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Because credentials are not directly stolen, traditional security alerts may not be triggered, thereby increasing dwell time.<\/p>\n<h2 id=\"h-mitigation-recommendations\" class=\"wp-block-heading\"><strong>Mitigation Recommendations<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The FBI and CISA recommend several defensive measures to reduce exposure:<\/p>\n<ul class=\"wp-block-list\">\n<li>Restrict or turn off device code flow authentication where possible.<\/li>\n<li>Implement conditional access policies to block unauthorized device code usage.<\/li>\n<li>Audit existing device code flow dependencies before applying restrictions.<\/li>\n<li>Block authentication transfer between devices.<\/li>\n<li>Maintain emergency access accounts to prevent lockouts.<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Organizations should also monitor for unusual sign-ins and token usage patterns.<\/p>\n<p class=\"wp-block-paragraph\">Victims of Kali365-related attacks are encouraged to report incidents to the FBI\u2019s Internet Crime Complaint Center (IC3) at www.ic3.gov. Key information to include:<\/p>\n<ul class=\"wp-block-list\">\n<li>Phishing email samples (headers and content).<\/li>\n<li>Suspicious login details (IP, time, location).<\/li>\n<li>Unauthorized devices or active sessions.<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">As phishing techniques continue to evolve, the Kali365 platform highlights a growing shift toward<a href=\"https:\/\/cybersecuritynews.com\/cloud-api-security\/\" target=\"_blank\" rel=\"noreferrer noopener\"> token-based attacks<\/a> that bypass traditional defenses, reinforcing the need for stronger identity and access controls.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/kali365-phaas-microsoft-365\/\">FBI Warns of Kali365 Attacking Microsoft 365 Users to Steal Logins and Bypass MFA<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/kali365-phaas-microsoft-365\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>FBI Warns of Kali365 Attacking Microsoft 365 Users to Steal Logins and Bypass MFA The FBI has issued a new cybersecurity warning about a rapidly emerging phishing-as-a-service (PhaaS) platform named Kali365, which is actively targeting Microsoft 365 users to steal access tokens and bypass multi-factor authentication (MFA). Kali365 is being distributed primarily through Telegram channels, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,158,124],"tags":[130],"class_list":["post-13071","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-microsoft","category-phishing","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13071"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13071"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13071\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13071"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13071"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13071"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}