What is Kali365? FBI warns of Telegram-based phishing toolkit targeting Microsoft 365 users

The Federal Bureau of Investigation (FBI) has warned organisations about Kali365, a newly identified cybercrime platform that is being used to break into Microsoft 365 accounts by getting around multi-factor authentication protections.

Unlike older phishing campaigns that mainly try to steal passwords, Kali365 targets the way users authenticate into cloud services. That makes the attack harder to spot and in some cases, harder to shut down even after a password reset.

Phishing kit sold as a service

Kali365 is a “Phishing-as-a-Service” platform, or PhaaS, which means attackers can subscribe to ready-made phishing tools instead of building them from scratch.

The FBI said the toolkit was first detected in April 2026 and is being distributed through Telegram channels. Its biggest danger is that it lowers the entry barrier for cybercriminals. Even attackers with limited technical skills can use it to launch campaigns against Microsoft 365 users.

The platform reportedly offers AI-generated phishing emails, pre-built templates, automated campaign tools, real-time victim tracking and systems designed to capture OAuth tokens.

How Kali365 attacks Microsoft 365 users

The attack begins with a phishing email that appears to come from a trusted cloud service or document-sharing platform. Instead of sending users to a fake login page, the email gives them a device code and asks them to enter it on a legitimate Microsoft login page.

This is what makes the attack deceptive. Since the user is interacting with a real Microsoft page, the login process may not immediately look suspicious.

Once the victim enters the code and completes authentication, they are effectively authorising the attacker’s device. Kali365 then captures OAuth access and refresh tokens, which can allow the attacker to access the victim’s Microsoft 365 account.

Why MFA may not stop it

Multi-factor authentication is designed to protect accounts even when passwords are compromised. But Kali365 does not rely on stealing the password directly.

Instead, it uses token-based authentication. Once the attacker gets access to valid OAuth tokens, they may be able to enter services such as Outlook, Teams and OneDrive without needing the user’s password again.

This also means that changing the password may not always be enough to remove access. If the stolen tokens remain valid, attackers can continue using the account.

Why this matters for companies

A Microsoft 365 account can give attackers access to emails, files, internal chats and shared documents.

That access can be used for business email compromise, data theft, lateral movement inside the organisation, or further phishing attacks against employees, clients and vendors.

The FBI warned that Kali365 can help attackers maintain long-term access to compromised accounts, making early detection critical.

What the FBI wants organisations to do

The FBI has urged organisations to review how Microsoft 365 authentication is configured, especially around device code flow authentication.

Security teams have been advised to restrict or disable device code flow where it is not needed, enforce stricter conditional access policies, and audit whether device code-based logins are actually required for business use.

The agency has also recommended blocking authentication transfers between devices and monitoring for unusual login activity or unauthorised session creation.

At the same time, organisations have been advised to ensure emergency access accounts are not accidentally locked out while applying these restrictions.