Kali365 is a subscription-based cybercrime service that allows hackers to run automated phishing attacks on cloud-based accounts, specifically Microsoft 365 environments.

(What is Kali365)

What is Kali365? A new and serious cybersecurity warning has emerged. The US FBI has issued an alert regarding a new cybercrime platform called Kali365. It's a Phishing-as-a-Service (PhaaS) toolkit that's being used to target Microsoft 365 accounts. Most worryingly, this platform can bypass security layers like Multi-Factor Authentication (MFA).

According to the FBI, this platform, which first appeared in April 2026, is being spread through Telegram channels, allowing even attackers with less technical knowledge to carry out large-scale cyber attacks.

What is Kali365?

Kali365 is a subscription-based cybercrime service that allows hackers to run automated phishing attacks on cloud-based accounts, specifically Microsoft 365 environments.

According to the FBI, the platform offers several advanced features, such as AI-generated phishing emails and templates, an automated campaign management system, a real-time victim tracking dashboard, and the ability to steal OAuth tokens. These features allow cybercriminals to conduct attacks at scale, requiring less technical expertise.

How does this attack work?

Attacks carried out through Kali365 are completed in several stages.

Fake email scam

First, the victim is sent an email that appears to be from a trusted cloud service or document sharing platform. The email contains a device code and instructions to visit an official Microsoft login page.

confusing the user

When the user enters the device code on the original Microsoft login page, they unknowingly grant the attacker's device access to their account.

Theft of OAuth tokens

The system then captures the user's OAuth access and refresh tokens, which allow the attacker to gain access to the account.

Long-term account control

Once they have the token, attackers can access services like Outlook, Teams, and OneDrive without requiring a password or MFA re-entry. The FBI says this method could allow attackers to maintain control of accounts for a long period of time.

Why is this attack so dangerous?

Older phishing attacks usually try to steal passwords, but Kali365 works differently.

Because of this

• Passwords are not stolen directly.
• MFA protection can be bypassed
• The attacker may still have access even after changing the password

This makes detecting and recovering from such attacks more difficult for IT teams and victims.

What precautions did the FBI ask to take?

The FBI has advised organizations and companies to strengthen the security of Microsoft 365. The agency has suggested several measures.

Limit or disable Device Code Flow Authentication

Enforcing strict Conditional Access Policies

Regularly checking the use of Device Code

Preventing authentication transfer between different devices

Keeping emergency access accounts under special security arrangements

Apart from this, it is also advised to continuously monitor suspicious login activities and wrong sessions.

Where to report a cyber attack?

The FBI encourages you to report any cyberattacks or suspicious activity related to Kali365 to the Internet Crime Complaint Center (IC3). It is recommended to include all relevant information in the report.