The FBI has released a new Public Service Announcement (PSA) warning businesses and individuals about an emerging cyber threat called “Kali365.” According to the FBI, this new Phishing-as-a-Service (PhaaS) platform is specifically designed to target Microsoft 365 users by hijacking access tokens and bypassing traditional multi-factor authentication (MFA) protections.
You can read the official FBI/IC3 PSA here:
FBI IC3 Kali365 Public Service Announcement
What Makes Kali365 Different?
Traditional phishing attacks typically attempt to steal usernames and passwords. Kali365 takes things a step further by targeting Microsoft 365 OAuth access tokens instead. This allows attackers to gain access to accounts without needing the victim’s actual password or MFA code.
The FBI says Kali365 first appeared in April 2026 and is being distributed primarily through Telegram channels. The platform lowers the barrier for cybercriminals by offering:
- AI-generated phishing emails
- Automated phishing campaign templates
- Real-time dashboards to track victims
- OAuth token capture capabilities
- Easy-to-use tools for less technical attackers
This means even lower-skilled cybercriminals can launch advanced phishing attacks against businesses using Microsoft 365.
How the Attack Works
According to the FBI, the attack abuses Microsoft’s legitimate “device code authentication” workflow. Instead of stealing credentials directly, attackers trick users into unknowingly authorizing access to their account.
The process generally works like this:
- A victim receives a phishing email pretending to be from Microsoft or another trusted service.
- The email contains a device code and instructions to visit a real Microsoft verification page.
- The victim enters the code, believing the request is legitimate.
- The attacker captures OAuth access and refresh tokens tied to the victim’s Microsoft 365 account.
- The attacker can then access Outlook, Teams, OneDrive, and other Microsoft services without triggering another MFA challenge.
Because this attack uses legitimate Microsoft authentication pages, it can be much harder for users to recognize and more difficult for security tools to detect.
Why Businesses Should Be Concerned
Many businesses believe enabling MFA completely protects them from phishing attacks. While MFA is still extremely important, threats like Kali365 show that attackers continue finding new ways around traditional security methods.
Once attackers obtain these tokens, they may be able to:
- Read company emails
- Access sensitive files
- Monitor Teams communications
- Launch additional phishing attacks internally
- Maintain persistent access to accounts
In some cases, attackers may remain inside an environment even after passwords are changed because the stolen tokens may still be valid.
How to Protect Your Organization
The FBI and CISA recommend several steps businesses can take to reduce risk from these attacks.
Restrict Device Code Authentication
Organizations should evaluate whether device code authentication is truly needed. In many environments, it can be restricted or disabled entirely through Conditional Access Policies in Microsoft 365.
Implement Strong Conditional Access Policies
Conditional Access policies can help block suspicious authentication attempts, unknown locations, or unauthorized device authentication flows.
Train Employees to Recognize Suspicious Requests
Security awareness training remains one of the most important defenses. Employees should be cautious of:
- Unexpected Microsoft login requests
- Emails asking them to enter verification codes
- Unusual authentication prompts
- Urgent requests involving account verification
Monitor for Suspicious Login Activity
Businesses should regularly review sign-in logs, token activity, and unusual account behavior within Microsoft 365.
Use Advanced Email Security
Modern phishing attacks continue evolving rapidly. Advanced email security solutions can help detect malicious links, impersonation attempts, and suspicious login workflows before they reach users.
Maintain Endpoint Protection and Device Management
Strong endpoint protection, automated patching, and device management policies can help reduce exposure if an account becomes compromised.
Final Thoughts
Kali365 is another reminder that phishing attacks are becoming more advanced, automated, and accessible to cybercriminals. Attackers are no longer relying only on stolen passwords—they are increasingly targeting authentication sessions, tokens, and trusted workflows.
Businesses using Microsoft 365 should review their security posture now rather than waiting until after an incident occurs. MFA is still critical, but layered security, user awareness, conditional access policies, and proactive monitoring are becoming more important than ever.
For the latest official guidance from the FBI, visit:
IC3.gov PSA on Kali365
If your business would like assistance reviewing Microsoft 365 security settings, phishing protections, endpoint security, or cybersecurity best practices, Cynxt IT Services can help. Call or text (256) 456-5858, email info@cynxt.net, or visit us at 1128 Bradshaw Drive, Florence, AL.
Cynxt Service Areas:
We proudly serve businesses in the following areas and surrounding cities. Click here to view the full list. Remote support is also available for businesses anywhere.
North Alabama:
- Florence
- Muscle Shoals
- Russellville
- Athens
- Decatur
- Huntsville
Middle Tennessee:
- Franklin
- Columbia
- Lawrenceburg
- Pulaski
About Us:
With over 18 years of IT experience, Cynxt IT Services delivers enterprise-level solutions tailored to small and medium-sized businesses. As a trusted Managed Service Provider (MSP), we’re dedicated to supporting your growth with reliable, expert IT services and unmatched customer care.
Services:
Explore our wide range of IT Services. Learn more about how we can help with your IT needs. Not finding the service you’re looking for? Contact Us to discuss custom solutions.
- Managed IT Services
- IT Support
- Cybersecurity
- Cloud Services
- Networking
- IT Consulting
