The FBI is warning about a phishing-as-a-service platform, called Kali365, that allows hackers to access Microsoft 365 tokens and bypass multifactor authentication without a user’s credentials. 

The Kali365 platform subscription lets hackers access OAuth tokens and gain persistent access to the M365 environments of targeted organizations or individuals, according to an FBI advisory released Thursday.

The platform subscription serves as an entry point for less sophisticated attackers. The platform offers access to AI-generated phishing lures, dashboards to track targeted victims, automated templates and other benefits. 

The attacks use phishing emails that impersonate trusted cloud productivity and document sharing services, the FBI said. The emails include a device code that tells the user to visit a legitimate Microsoft verification page, on which the user pastes in the code. 

The hacker then can gain OAuth access and refresh tokens. This provides access to the Microsoft 365 account and various services, including Teams, Outlook and OneDrive. 

Arctic Wolf researchers said the Kali365 infrastructure lowers the barrier to entry for potential attackers. 

“Because it leverages legitimate Microsoft infrastructure, the activity can appear normal to the victim, which makes it harder to detect,” said Steven Campbell, staff threat intelligence researcher at cybersecurity firm Arctic Wolf. “In practical terms, this means an attacker doesn’t need to build sophisticated tooling themselves. They can stand up a campaign quickly and at scale.”

The FBI warning comes about a month after a report by Arctic Wolf on an operation that used the Kali365 platform. Researchers said they have been tracking a widespread device code phishing campaign since early April. 

The campaign originated mainly from a single IP address, operated in North America and Europe, the Middle East and Africa. The campaign’s targets included manufacturing, education, insurance, financial, healthcare and government.

The campaign uncovered by Arctic Wolf is similar to a separate device code phishing operation tracked by Huntress. Starting in February, the campaign targeted Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand and Germany. 

Attackers in that campaign weaponized Railway.com, a platform-as-a-service that was built for vibe coding. Railway was abused to develop on-demand credential harvesting infrastructure, according to Huntress. 

Huntress and Flare.io in March attributed the Railway attacks to the Evil Tokens phishing-as-a-service platform. 

Researchers at Proofpoint reported in December how state-linked and criminal actors were using device-code phishing to gain access to Microsoft 365 accounts. 

A Microsoft spokesperson said security teams should follow guidance provided by the FBI. Microsoft also provided best practices advice about how to protect against scams. 

The FBI declined to provide any additional comment beyond the alert.