FBI Warns of Kali365 PhaaS Platform Targeting Microsoft 365 Access Tokens to Bypass MFA
The FBI warns of Kali365, a PhaaS platform that steals Microsoft 365 access tokens via device code phishing, bypassing MFA without requiring credentials.
The FBI has issued a warning about a new Phishing-as-a-Service (PhaaS) platform called Kali365, which targets Microsoft 365 access tokens to bypass multi-factor authentication (MFA). First observed in April 2026, Kali365 is distributed through Telegram and provides cybercriminals with AI-generated phishing lures, automated campaign templates, and OAuth token capture capabilities. According to the FBI, Kali365 lowers the barrier for less-technical attackers to compromise Microsoft 365 accounts without stealing user credentials.
The attack leverages device code phishing, a technique where victims are tricked into logging into their accounts through a legitimate authentication flow. The attack begins with a phishing email that impersonates trusted cloud or document-sharing services and includes a device code with instructions to visit a legitimate Microsoft verification page. After the victim enters the code, they unknowingly authorize the attacker's device. The attacker then captures OAuth access and refresh tokens, allowing continued access to Microsoft 365 services such as Outlook, Teams, and OneDrive without requiring a password or additional MFA prompts.
Kali365 is part of a growing trend of PhaaS platforms sold via Telegram. Researchers recently identified EvilTokens, another PhaaS platform that compromised over 340 Microsoft 365 organizations in five weeks by abusing OAuth device code authentication. EvilTokens also provides ready-made tools for phishing campaigns, including fake login pages, Microsoft API automation, and AI-generated emails. The rise of such platforms highlights the increasing commoditization of phishing tools, enabling even low-skill attackers to launch sophisticated campaigns.
The FBI has outlined several tips for organizations to protect against device code phishing attacks. These include educating users about the risks of entering device codes from unsolicited emails, implementing conditional access policies to block device code authentication from untrusted locations, and monitoring for unusual OAuth consent grants. Additionally, organizations should enforce MFA where possible and use token binding to tie tokens to specific devices.
According to Barracuda Networks, the most common phishing themes in 2025 pushed users toward clicking links, scanning QR codes, opening attachments, or handing over personal information. The emergence of Kali365 and similar platforms underscores the need for continuous vigilance and advanced threat detection to combat evolving phishing tactics.