FBI: Kali365 phishing kit steals Microsoft 365 tokens

The FBI issued an advisory about Kali365, a phishing‑as‑a‑service platform that harvests Microsoft 365 OAuth access and refresh tokens. The advisory says attackers use a device‑code sign‑in scam to bypass multi‑factor authentication and gain ongoing access to Outlook, OneDrive, Teams and other Microsoft services.

The campaign begins with a message that appears to be a document share or Teams invitation and includes a short device code plus instructions to enter it at Microsoft’s device sign‑in page. Victims are sent to a real Microsoft URL used for device authentication, complete the familiar sign‑in and consent screens, and may see their organization’s branding. Because the pages are genuine and no password is entered into a suspicious form, users may not recognize the activity as malicious.

When a user submits the device code and approves the request, the attacker’s endpoint receives OAuth access and refresh tokens tied to the victim’s account. Access tokens allow immediate interaction with services. Refresh tokens can be exchanged for new access tokens over time, permitting continued access until the tokens are revoked or expire.

Compromised accounts can be used to read incoming messages, including password reset emails; access files stored in OneDrive or SharePoint; and send phishing messages from the victim’s address to coworkers, customers or personal contacts. Because activity originates from a trusted account, follow‑on attacks and lateral compromise may be easier to carry out.

The bureau advised users not to enter a code at a Microsoft sign‑in page unless they initiated the sign‑in on their own device. Users should read consent prompts carefully and treat unexpected document shares, file access requests or Teams invitations with suspicion, even when the sign‑in page appears legitimate.

Account owners can review active sessions and devices at https://account.microsoft.com/devices/. The advisory recommends removing unfamiliar devices, changing account passwords, reviewing security settings and revoking sessions or tokens when unauthorized activity is suspected, because refresh tokens remain valid until revoked or expired.

The advisory notes Kali365 is sold as a subscription service that lowers the technical barrier for attackers. Initial reports have focused on organizations, but the same technique can target consumer Microsoft 365, Outlook and OneDrive accounts.