FBI Warns About Kali365 Scam That Can Bypass Microsoft 365 Security Without Stealing Passwords.
Cybercriminals are increasingly finding ways to bypass traditional security measures, and a new phishing toolkit known as Kali365 is raising concerns among cybersecurity experts and law enforcement agencies.
The Federal Bureau of Investigation (FBI) has issued a warning about the fast-growing scam, which targets Microsoft 365 users by capturing authentication tokens instead of stealing passwords. The technique allows attackers to gain access to services such as Outlook, Teams, and OneDrive while bypassing multifactor authentication (MFA), one of the most widely used security protections today.
Security researchers say the emergence of Kali365 highlights a shift in cybercrime tactics, where attackers focus on exploiting authentication systems rather than simply collecting usernames and passwords.
What Is Kali365?
Kali365 is a subscription-based phishing platform designed to help cybercriminals launch sophisticated attacks against Microsoft 365 users.
First identified in April 2026, the platform has reportedly been promoted through Telegram channels and underground cybercrime communities. According to cybersecurity company Bitdefender, access to the service costs as little as $250 per month or $2,000 annually.
What makes Kali365 particularly concerning is its ability to automate attacks that previously required advanced technical knowledge.
The FBI says the platform provides attackers with:
- AI-generated phishing messages
- Automated phishing campaign templates
- Real-time target tracking tools
- OAuth token capture capabilities
By packaging these tools into a ready-made service, Kali365 significantly lowers the barrier to entry for cybercriminals.
How The Attack Works
Unlike traditional phishing scams that attempt to steal passwords through fake login pages, Kali365 focuses on OAuth device codes.
OAuth is a widely used authorization system that allows applications to access user accounts without repeatedly requiring passwords. Microsoft uses this system across many of its cloud-based services.
The attack typically begins when a victim receives a phishing email that appears to come from a legitimate cloud service or trusted organization.
The email contains a device code and instructs the user to visit an authentic Microsoft verification page.
Because the website itself is legitimate, users often see no obvious signs of fraud.
Once the victim enters the code, the attacker captures the OAuth authentication token generated during the process. That token can then be used to access the victim’s Microsoft 365 account without requiring a password or additional authentication.
Why The Scam Is Difficult To Detect
One reason security experts are particularly concerned about Kali365 is that it removes many of the warning signs people have been taught to look for.
Traditional phishing attacks often rely on fake websites, suspicious URLs, or misspelled domain names. In a Kali365 attack, none of those indicators may exist.
Victims are directed to a genuine Microsoft verification page, making the request appear legitimate.
As a result, even security-conscious users may struggle to recognize the attack before it is too late.
Researchers reported hundreds of Kali365-related attacks within weeks of the platform’s emergence, suggesting that adoption among cybercriminals is accelerating rapidly.
Why Multifactor Authentication Alone May Not Be Enough
Multifactor authentication remains one of the most effective security measures available, but Kali365 demonstrates that it is not immune to exploitation.
Instead of defeating MFA directly, attackers trick users into authorizing access themselves through legitimate authentication workflows.
The result is that attackers obtain a valid access token that allows them to operate inside the account as if they were the authorized user.
This technique has become increasingly attractive to cybercriminals because it avoids triggering many traditional security alerts associated with password theft.
How Microsoft 365 Users Can Protect Themselves
The FBI advises users to be extremely cautious when receiving unexpected requests involving device codes or authentication prompts.
Users should:
- Never enter a device code that they did not personally request
- Verify unexpected authentication requests through trusted channels
- Review active sessions and connected applications regularly
- Enable additional account monitoring and security alerts
- Report suspected phishing attempts immediately
Anyone who believes they may have been targeted by a Kali365 attack can also file a report through the FBI’s Internet Crime Complaint Center.
A New Era Of Phishing Threats
The rise of Kali365 reflects a broader evolution in cybercrime. Attackers are increasingly focusing on authentication tokens, session credentials, and authorization systems rather than traditional passwords.
For organizations and individuals alike, the lesson is becoming clear: cybersecurity is no longer just about protecting passwords. It is about protecting the entire authentication process.
As phishing kits become more automated and AI-driven, experts warn that attacks like Kali365 could become increasingly common, making user awareness and vigilance more important than ever.
Source: INC
Read more news, and follow us on Instagram
Photo: Getty Images
