The FBI is warning organizations and defenders about Kali365, a growing phishing-as-a-service platform that retrieves Microsoft 365 access tokens, issuing a public service announcement Thursday. 

The toolkit bypasses multi-factor authentication and abuses OAuth device code authorizations via phishing lures impersonating common enterprise services. This technique grants cybercriminal-controlled applications access to Microsoft 365 accounts, opening victims up to a host of follow-on malicious activity, including data theft, fraud, extortion and ransomware attacks.

Kali365 is one of many rapidly emerging device-code phishing tools, which are gaining popularity as a more effective means for cybercriminals to circumvent security controls while abusing legitimate Microsoft device authorization pages, according to researchers. 

Instead of gaining access to accounts via phishing kits that steal credentials and second-factor authentication codes, device-code phishing platforms connect a malicious app to a legitimate account with a single code. The process requires fewer steps and less interaction with the user, but victims do have to copy-and-paste a code generated by the Kali365 platform to grant access.

“We see quite a bit of this device-code phishing activity, but so much of it looks really similar. They’re all using the same types of lures, the same types of content, the same branding,” Selena Larson, senior threat researcher at Proofpoint, told CyberScoop. “It is very much AI generated, AI driven, and the threat actors, I think, are finding it pretty effective because we’re seeing this shift happen kind of all at once.”

Proofpoint researchers observed seven device-code phishing tools that looked nearly identical during a 10-day period last month.

Device-code phishing isn’t new, but platforms like Kali365 have integrated new techniques that differ from MFA phishing, and might be more effective as a result. “It’s something that people might not be used to. It’s a little bit sleeker,” Larson said.

This also partly explains why these cybercriminal tools are growing so quickly. Larson said Proofpoint observed an explosion in device-code phishing activity starting in February. 

By April, Kali365 was up and running and primarily distributed on Telegram, according to the FBI. “Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” the agency said in the public warning. 

Researchers at Arctic Wolf Labs, which has also been tracking large-scale campaigns linked to Kali365, said the platform charges affiliates $250 for 30 days of service or $2,000 for a full year.

Kali365 stores the OAuth access and refresh tokens it captures, and makes those available to affiliates on its platform. Those tokens can also be shared and reused by other cybercriminals who didn’t participate in the initial phishing lure, Arctic Wolf researchers added. 

The FBI also noted that these Microsoft 365 tokens provide persistent access, allowing attackers to wade through multiple Microsoft services without a password or additional MFA requests. 

“Identity can be very, very powerful once you’re in an organization,” Larson said, adding that attackers can abuse that access to impersonate people, access and steal data for extortion, commit fraud and deploy malware.

The post FBI warns about fast-growing phishing kit targeting Microsoft 365 users appeared first on CyberScoop.

ISSUE 23.19 • 2026-05-11 MICROSOFT 365 By Peter Deegan Outlook email rules are undergoing a major — and mostly unheralded — change. They’re going online. If the mailbox is stored online in a Microsoft-hosted service such as Outlook.com or Microsoft 365, then Outlook rules will run only in the cloud, not locally on your PC. […]

MICROSOFT 365 By Peter Deegan Copilot for Microsoft 365 is changing plans, prices, and features so often that it’s hard for anyone to keep up. Microsoft has just changed Copilot arrangements for business and enterprise users.  It’s not easy to keep track of what’s available when there are around 80 different products with the Copilot […]

I received a call from a friend yesterday morning asking me to remove something from Outlook. It just showed up. “It” was a Copilot icon on the left edge of the message block when writing an email. A grayed-out instruction suggesting using Copilot has been in the message block for some time, but it vanishes […]

MICROSOFT 365 By Peter Deegan Windows users often ask me about switching to a Mac and, most recently, the new and economical Mac Neo. For most everyday users, it’s a good alternative. Mac Neo is Apple’s most affordable laptop. It’s not a powerhouse, but it handles Microsoft Office well, plays very well with iPhones, and […]

MICROSOFT 365 By Peter Deegan With the end of Microsoft Publisher getting ever closer, let’s look at which features will disappear. Some have rough equivalents in Word, but others will go MIA. Publisher and Word might seem similar because they can both make paper documents, but their underlying bases are quite different. It’s about content […]

Use of Microsoft 365 products in security testing is not a new concept. For a long time, I’ve incorporated various activities using Office products into my testing regimen. In the […]

The post Augmenting Security Testing and Analysis Activities with Microsoft 365 Products appeared first on Black Hills Information Security, Inc..

Patterson Cake // PART 1 PART 2 In part one of “Wrangling the M365 UAL,” we talked about acquiring, parsing, and querying UAL data using PowerShell and SOF-ELK. In part […]

The post Wrangling the M365 UAL with SOF-ELK and CSV Data (Part 3 of 3) appeared first on Black Hills Information Security, Inc..

Patterson Cake // In PART 1 of “Wrangling the M365 UAL,” we talked about the value of the Unified Audit Log (UAL), some of the challenges associated with acquisition, parsing, […]

The post Wrangling the M365 UAL with SOF-ELK on EC2 (Part 2 of 3) appeared first on Black Hills Information Security, Inc..

Patterson Cake // When it comes to M365 audit and investigation, the “Unified Audit Log” (UAL) is your friend. It can be surly, obstinate, and wholly inadequate, but your friend […]

The post Wrangling the M365 UAL with PowerShell and SOF-ELK (Part 1 of 3) appeared first on Black Hills Information Security, Inc..

Steve Borosh // Why Phishing? Those of us on the offensive side of security often find ourselves in the position to test our clients’ resilience to phishing attacks. According to […]

The post Spoofing Microsoft 365 Like It’s 1995 appeared first on Black Hills Information Security, Inc..