FBI warns Microsoft 365 users about another Phishing as a Service attack – here's how to avoid it
Kali365 platform is serious enough to garner a warning from the FBI
The FBI has warned about an attack against Microsoft systems using yet another Phishing as a Service platform called Kali365 that can gain access without intercepting user credentials.
The Kali365 platform was first spotted last month, and the US agency said it wanted to alert users of the threat caused by the Phishing as a Service (PhaaS) platform – a technique that's on the rise, with PhaaS kits increasing in sophistication and becoming more popular among rookie hackers.
"Kali365 has primarily been distributed via Telegram, enabling cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting the user's credentials," the US Federal Bureau of Investigation (FBI) said via a public service announcement.
Hackers with a subscription can use Kali365 to snag "OAuth" tokens that allow persistent access to Microsoft 365 environments.
While that's concerning on its own, the FBI noted that the Kali365 platform makes it easier for hackers to have success targeting such systems. "Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities," the statement said.
Microsoft has yet to respond to ITPro's request for comment on the attacks. This isn't the first time a PhaaS platform has targeted the tech giant. Earlier this year, Microsoft teamed up with security agencies to take down the Tycoon 2FA PhaaS platform that was also targeting Microsoft 365 logins, while Microsoft worked with Cloudflare to take down a similar PhaaS system also targeting Microsoft credentials last year.
How the Kali365 attack works
The attack will target victims via an email that's pretending to be a cloud productivity or document sharing service. "This phishing email contains a device code with instructions to visit a legitimate Microsoft verification page and enter the code," the FBI explained.
Such emails will be specifically targeted to individuals or organisations. If fooled, the user will be directed to a real Microsoft page. When the authentication code is pasted into the page, the victim will be authorizing access – not to their own devices, but those managed by the attacker.
That's possible because the attacker captures OAuth access and refresh tokens, letting them take over the targeted person's Microsoft 365 account.
"The attacker can now access Microsoft 365 services such as Outlook, Teams, and OneDrive without needing a password or completing any additional MFA challenges," the FBI added.
What to do
As ever, users can avoid becoming a victim by not clicking links in unexpected emails – this may be an advanced Phishing as a Service platform, but the attack vector remains a standard phishing email with a dodgy link.
At a corporate level, to help protect against this style of attack, the FBI advised restricting the amount of codes that are used for authentication, such as creating a conditional access policy to block device code flow for everyone, only allowing limited exceptions for necessary processes.
That said, the FBI noted it may make sense to audit how such codes are used now to ensure no legitimate use cases are disrupted.
Beyond that, companies can implement policies that block the transfer of authentication from computers to mobile devices, and exclude emergency access accounts.
The FBI added that anyone impacted by Kali365 – be it phishing emails, suspicious logins, or spotting unauthorized devices – should file a report with the Internet Crime Complaint Centre (IC3).
-
Why resilience is now a core responsibility for connectivity partnersIndustry Insights As organizations rely more on AI, IoT and cloud-based systems, secure and resilient connectivity becomes essential to prevent lost sales and protect customer trust
-
Dell Technologies World 2026 was typified by a data center push and the spectre of acquisitions pastThe Modern Data Center message of 2026 holds in it the echo of EMC
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businessesNews Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
Warning issued as surge in OAuth device code phishing leads to M365 account takeoversNews Successful attacks enable full M365 account access, opening the door to data theft, lateral movement, and persistent compromise
-
Hackers are using Microsoft 365 features to bombard enterprises with phishing emails – and they’ve already hit more than 70 organizationsNews A new phishing campaign uncovered by researchers at Varonis shows threat actors are abusing Microsoft 365's Direct Send feature to launch phishing attacks.
-
Healthcare organizations need to shake up email security practices
News Microsoft 365 is the source of almost half of all healthcare email breaches, thanks mainly to misconfigurations in security settings.
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to know
News A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
-
Hackers are using Microsoft Teams to conduct “email bombing” attacksNews Experts told ITPro that tactics like this are on the rise, and employees must be trained effectively
-
Number of attacks using Microsoft Office files surges in 2023News Attacks using popular Microsoft Office file types have increased in 2023
-
Microsoft Security Copilot to offer raft of “new capabilities” for 365 DefenderNews Microsoft Security Copilot will give 365 Defender users real-time malware tracking and automated incident summaries
