Law enforcement and experts express concern over a phishing service marketed via Telegram that “lowers the barrier to entry and enables rapid affiliate recruitment”.
The United States FBI has released a public service announcement (PSA) warning of a newly emerged phishing-as-a-service (PhaaS) platform: Kali365.
First observed in April 2026, the platform is marketed and distributed via the Telegram messaging service.
You’re out of free articles for this month
To continue reading the rest of this article, please log in.
“Through the Kali365 platform subscription, cyber threat actors can capture ‘OAuth’ tokens and gain persistent access to targeted individuals/entities’ Microsoft 365 environments,” the FBI said in a 21 May PSA.
“Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities.”
The scam works in four steps: an initial phishing email that appears to be from a “trusted cloud productivity and document-sharing service” that contains a device code and link to a legitimate Microsoft verification page, which in turn leads to the victim authorising the attacker’s device.
The attacker can then capture OAuth tokens, which grant them access to the victim’s Microsoft 365 services without needing a password or bypassing multifactor authentication challenges.
And while it is early days for the phishing platform, its popularity is steadily increasing.
“We’re observing gradual growth in activity alongside a clear expansion of underlying infrastructure. The threat actors are deploying new servers and access panels, which suggests the operation is maturing and scaling,” Steven Campbell, staff threat intelligence researcher at Arctic Wolf, told Cyber Daily.
“What’s particularly notable is the distribution model – Kali365 is being marketed through Telegram channels, which lowers the barrier to entry and enables rapid affiliate recruitment. This isn’t a single sophisticated group; it’s a commoditised capability that’s now accessible to less technical actors.”
Kali365, according to Campbell, is particularly dangerous because it can enable “advanced phishing operations” that lead to attacker-in-the-middle attacks, in which session tokens and credentials alike can be stolen. And because Kali365 uses legitimate Microsoft infrastructure, any activity appears normal to the victim.
“In practical terms, this means an attacker doesn’t need to build sophisticated tooling themselves,” Campbell said.
“They can stand up a campaign quickly and at scale. The platform provides AI-generated lures, automated campaign templates, and real-time dashboards for tracking compromised accounts.”
The FBI suggested several steps to defend against the toolkit:
Want to see more stories from trusted news sources?
Make Cyber Daily a preferred news source on Google.
Tags:
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。