VYPR
researchPublished May 22, 2026· Updated Jun 4, 2026· 7 sources

FBI Warns of Kali365 PhaaS Platform Targeting Microsoft 365 Access Tokens to Bypass MFA

The FBI warns of Kali365, a PhaaS platform that steals Microsoft 365 access tokens via device code phishing, bypassing MFA without requiring credentials.

The FBI has issued a warning about a new Phishing-as-a-Service (PhaaS) platform called Kali365, which targets Microsoft 365 access tokens to bypass multi-factor authentication (MFA). First observed in April 2026, Kali365 is distributed through Telegram and provides cybercriminals with AI-generated phishing lures, automated campaign templates, and OAuth token capture capabilities. According to the FBI, Kali365 lowers the barrier for less-technical attackers to compromise Microsoft 365 accounts without stealing user credentials.

The attack leverages device code phishing, a technique where victims are tricked into logging into their accounts through a legitimate authentication flow. The attack begins with a phishing email that impersonates trusted cloud or document-sharing services and includes a device code with instructions to visit a legitimate Microsoft verification page. After the victim enters the code, they unknowingly authorize the attacker's device. The attacker then captures OAuth access and refresh tokens, allowing continued access to Microsoft 365 services such as Outlook, Teams, and OneDrive without requiring a password or additional MFA prompts.

Kali365 is part of a growing trend of PhaaS platforms sold via Telegram. Researchers recently identified EvilTokens, another PhaaS platform that compromised over 340 Microsoft 365 organizations in five weeks by abusing OAuth device code authentication. EvilTokens also provides ready-made tools for phishing campaigns, including fake login pages, Microsoft API automation, and AI-generated emails. The rise of such platforms highlights the increasing commoditization of phishing tools, enabling even low-skill attackers to launch sophisticated campaigns.

The FBI has outlined several tips for organizations to protect against device code phishing attacks. These include educating users about the risks of entering device codes from unsolicited emails, implementing conditional access policies to block device code authentication from untrusted locations, and monitoring for unusual OAuth consent grants. Additionally, organizations should enforce MFA where possible and use token binding to tie tokens to specific devices.

According to Barracuda Networks, the most common phishing themes in 2025 pushed users toward clicking links, scanning QR codes, opening attachments, or handing over personal information. The emergence of Kali365 and similar platforms underscores the need for continuous vigilance and advanced threat detection to combat evolving phishing tactics.

The FBI advisory, published Thursday, details how Kali365 operates as a Telegram-distributed PhaaS platform that captures OAuth tokens via device code phishing, enabling attackers to bypass MFA without intercepting credentials. Arctic Wolf's incident response team confirmed a large campaign in April, noting that threat actors used high-fidelity lures directing victims to Microsoft's legitimate device login flow, then established malicious inbox rules to suppress security notifications and extend dwell time. The platform offers three subscription tiers ranging from $250 for 30 days to $2,000 for 365 days, and generates branded phishing lures in dozens of languages using services like Adobe, DocuSign, and SharePoint.

The FBI's public service announcement, issued Thursday, details that Kali365 is distributed primarily on Telegram and charges affiliates $250 per month or $2,000 per year. Proofpoint researchers observed an explosion in device-code phishing activity starting in February, with seven nearly identical tools spotted in a 10-day period last month. Arctic Wolf Labs noted that captured OAuth tokens can be shared and reused by other cybercriminals who did not participate in the initial phishing lure, enabling persistent access across Microsoft services without additional authentication.

The Infosecurity Magazine report adds granular technical details on the Kali365 attack chain, specifying that the phishing emails contain a device code and direct victims to the legitimate Microsoft verification page, where entering the code authorizes the attacker's device. It also names the specific cloud services attackers can then access—Outlook, Teams, and OneDrive—once OAuth tokens are captured. Additionally, the article provides a more detailed list of FBI-recommended mitigations, including restricting device code flow, creating conditional access policies, and blocking authentication transfer policies to prevent the technique.

The BleepingComputer report adds new operational details, revealing that Kali365 emerged in April 2026 and is distributed via Telegram, offering two attack modes: device code phishing and an adversary-in-the-middle mode called 'Cookie Link' that captures authenticated browser sessions. Arctic Wolf researchers observed a widespread campaign targeting organizations worldwide, where attackers created malicious inbox rules and registered new devices in victims' Microsoft environments. The article also notes that device code phishing has seen widespread adoption in 2026, with other platforms like EvilTokens and Tycoon2FA now using similar techniques.

Malwarebytes Labs expands on the FBI's warning with practical guidance for individual Microsoft 365 users, emphasizing that the device-code phishing technique works against anyone with an Outlook or OneDrive account, not just enterprise targets. The article details how attackers use stolen refresh tokens to maintain long-term access to email, files, and Teams, and recommends users review connected devices at account.microsoft.com/devices/ and never enter unsolicited codes at Microsoft login pages.

The Kali365 phishing-as-a-service (PhaaS) operation has significantly expanded its scope beyond Microsoft 365, now targeting Okta SSO and MAX Messenger. Researchers have identified a live C2 panel and 126 phishing hosts, with a new campaign specifically leveraging MAX Messenger to distribute lures for a "prize claim" scam, which then uses compromised accounts to spread further. This evolution demonstrates Kali365's growing versatility and reach, moving from a single-vendor focus to a multi-brand phishing platform.

Synthesized by Vypr AI
FBI Warns of Kali365 PhaaS Platform Targeting Microsoft 365 Access Tokens to Bypass MFA · VYPR