FBI warns of Kali365 phishing-as-a-service targeting Microsoft 365 access tokens

“Through the Kali365 platform subscription, cyber threat actors can capture ‘OAuth’ tokens and gain persistent access to targeted individuals/entities’ Microsoft 365 environments,” the FBI said in a 21 May PSA.

“Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities.”

The scam works in four steps: an initial phishing email that appears to be from a “trusted cloud productivity and document-sharing service” that contains a device code and link to a legitimate Microsoft verification page, which in turn leads to the victim authorising the attacker’s device.

The attacker can then capture OAuth tokens, which grant them access to the victim’s Microsoft 365 services without needing a password or bypassing multifactor authentication challenges.

And while it is early days for the phishing platform, its popularity is steadily increasing.

“We’re observing gradual growth in activity alongside a clear expansion of underlying infrastructure. The threat actors are deploying new servers and access panels, which suggests the operation is maturing and scaling,” Steven Campbell, staff threat intelligence researcher at Arctic Wolf, told Cyber Daily.

VIEW ALL

“What’s particularly notable is the distribution model – Kali365 is being marketed through Telegram channels, which lowers the barrier to entry and enables rapid affiliate recruitment. This isn’t a single sophisticated group; it’s a commoditised capability that’s now accessible to less technical actors.”

Kali365, according to Campbell, is particularly dangerous because it can enable “advanced phishing operations” that lead to attacker-in-the-middle attacks, in which session tokens and credentials alike can be stolen. And because Kali365 uses legitimate Microsoft infrastructure, any activity appears normal to the victim.

“In practical terms, this means an attacker doesn’t need to build sophisticated tooling themselves,” Campbell said.

“They can stand up a campaign quickly and at scale. The platform provides AI-generated lures, automated campaign templates, and real-time dashboards for tracking compromised accounts.”

The FBI suggested several steps to defend against the toolkit:

• Create a conditional access policy to block device code flow, with limited exceptions for essential processes.
• Audit existing device code usage to identify legitimate dependencies.
• Block authentication transfer policies to prevent users from transferring authentication to mobile devices.
• If device code flow usage cannot be restricted, exclude emergency access accounts to prevent lockouts.