A new phishing-as-a-service (PhaaS) platform called Kali365 is being distributed in the wild, primarily via Telegram, the FBI has warned.
First detected in April 2026, Kali365 provides cyber threat actors access to AI-generated phishing lures, automated campaign templates real-time targeted individual and entity tracking dashboards.
It also enables technically low-level individuals to capture OAuth tokens – Microsoft 365 access tokens – and bypass multifactor authentication (MFA) protocols without intercepting the user's credentials.
Through the Kali365 platform subscription, cyber threat actors can gain persistent access to targeted individuals/entities' Microsoft 365 environments.
In a typical attack chain, detailed by the FBI in an advisory published on May 21, an attacker initiates the scam by sending a phishing email that impersonates trusted cloud productivity and document-sharing services.
This email contains a device code along with instructions to visit a legitimate Microsoft verification page and enter the code.
Victims navigate to the real Microsoft page and paste in the device code, thereby unknowingly authorizing the attacker's device to access their account.
The attacker then captures OAuth access and refresh tokens, which grants them access to the targeted individuals' or entities' Microsoft 365 account.
With these tokens in hand, the attacker can now access Microsoft 365 services such as Outlook, Teams and OneDrive without needing a password or completing any additional MFA challenges, thus establishing persistence in the compromised account.
To mitigate the threat of being targeted by Kali365-enabled cybercriminals, the FBI recommended the following measures:
Image credits: Ed Hardie / Unsplash
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。