The newly identified cybercrime platform, Kali365, is being used by attackers to gain access to Microsoft services such as Outlook, Teams and OneDrive.
What is Kali365?
Kali365 is a subscription-based cybercrime platform that enables attackers to launch automated phishing campaigns targeting cloud services, particularly Microsoft 365 accounts.
In a public advisory, the agency described Kali365 as an emerging ‘Phishing-as-a-Service’ (PhaaS) platform that enables “cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting the user’s credentials.”
The platform was first detected in April 2026 and is reportedly being distributed through Telegram.
According to the FBI, Kali365 allows cybercriminals to capture OAuth access tokens, enabling them to gain persistent access to Microsoft 365 accounts. The scam typically begins with a phishing email impersonating a document-sharing service.
“Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” the FBI said in the Public Service Announcement (PSA).
According to a report in The Hill, the platform is available to scammers for a monthly fee of $250. Microsoft has advised users to follow the FBI’s guidance. In a conversation with The Hill, a
Microsoft spokesperson said, “More broadly, Microsoft actively works to disrupt cybercriminal ecosystems behind phishing-as-a-service and account takeover activity to protect our customers.”
How the Kali365 scam worksPhishing email: Attackers begin by sending phishing emails that appear to come from trusted cloud productivity or document-sharing services. The emails contain a device authentication code and instructions directing users to a legitimate Microsoft verification page.
Users unknowingly grant access: Victims are asked to enter the provided code on the genuine Microsoft page. By doing so, they unknowingly authorize the attacker’s device to access their Microsoft 365 account.
Access tokens are stolen: Once authorization is granted, attackers capture OAuth access and refresh tokens, allowing them to gain control of the targeted account.
Continued access without passwords: Cybercriminals can access Microsoft services such as Outlook, Teams and OneDrive without needing the user’s password or completing any additional multi-factor authentication (MFA) checks.
How users can protect themselves
The FBI advised users and organizations to limit or block the use of device authentication codes as this can help reduce the risk of such attacks. It also advised organizations to block device code authentication for most users wherever possible, while allowing exceptions for essential business operations.
The agency also recommended reviewing existing use of device authentication codes, restricting the transfer of authentication between devices, and ensuring emergency access accounts remain exempt from restrictions to prevent lockouts.
What to do if you are targeted
Anyone affected by the Kali365 phishing kit should file a complaint with the FBI’s Internet Crime Complaint Center (IC3). Users are advised to include relevant details, including phishing emails, suspicious login attempts (time, IP address, location) and any unauthorized devices or active sessions linked to their accounts.
