FBI: Kali365 PhaaS Steals Microsoft 365 OAuth Tokens

The FBI issued an advisory about Kali365, a phishing-as-a-service platform that captures OAuth access and refresh tokens for Microsoft 365 accounts. The agency warned the tool can bypass multi-factor authentication and give attackers persistent access to services such as Outlook, Teams and OneDrive.

Kali365 was first observed last month and is distributed mainly through Telegram. The platform operates on a subscription model, enabling subscribers to run campaigns without writing code or building phishing pages from scratch.

The attack uses targeted phishing emails that include a device code and instructions to enter it on a legitimate Microsoft verification page. When a user pastes the code, the verification process can grant access to an attacker-controlled application instead of the user’s device. The technique captures OAuth access and refresh tokens without intercepting the user’s password.

The FBI noted the platform provides features that reduce the technical skill needed to run campaigns. Kali365 offers AI-generated phishing lures, automated campaign templates and real-time tracking dashboards to monitor targeted individuals or organizations. Captured access tokens let attackers access M365 services without further MFA prompts, and refresh tokens can allow long-term access.

To reduce exposure, the advisory recommends organizations limit or block device code authentication flows through conditional access policies and audit existing uses before making changes. The agency recommends restricting how many device codes a user can generate, blocking transfer of authentication from computers to mobile devices and excluding emergency access accounts from device-code flows. The FBI also asked victims of phishing emails, suspicious logins or unauthorized device connections to report incidents to the Internet Crime Complaint Center (IC3).

The advisory notes Kali365 is part of a broader trend in commercialized phishing toolkits that have become more accessible. Earlier this year, law enforcement and Microsoft disrupted a PhaaS called Tycoon that targeted Microsoft 365 logins, and Microsoft previously worked with partners to take down another PhaaS aimed at stealing Microsoft credentials. Microsoft did not immediately comment on the FBI notice.

The bureau emphasized the initial attack vector remains a standard phishing email. Users are urged not to follow unexpected links or enter device codes received by email without verifying the request, and administrators should review authentication policies and monitor for unusual token activity.