The Federal Bureau of Investigation warned Monday that a phishing platform known as Kali365 is being used to compromise Microsoft 365 accounts by subverting multi-factor authentication — a security mechanism widely relied upon to protect user accounts.
In a public service announcement posted June 15, the FBI described Kali365 as a Phishing-as-a-Service (PhaaS) platform distributed mainly on the Telegram messaging service. The platform equips attackers with tools to bypass the additional layer of security that multi-factor authentication provides, without needing the user’s actual log-in credentials.
The scam unfolds through a device-code phishing technique. Attackers send emails that appear to come from a reputable cloud or document-sharing service. The emails contain a code and instructions to visit a real Microsoft verification page, where the victim is asked to enter the code. When the victim does so, they authorize the attacker’s device to access their account — without recognizing the request is malicious.
Once authenticated, the attacker gains access to the victim’s Microsoft 365 services, including Outlook email, Microsoft Teams, and OneDrive cloud storage. The FBI noted that the breach does not require the victim to reveal their password, making it harder for the target to detect the intrusion.
“Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lure, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” the FBI said in the announcement.
The bureau said it first detected the Kali365 phishing campaign in April. Since then, the platform has continued to be advertised and distributed on Telegram.
The FBI offered a set of protective measures, urging users who receive suspicious emails or notice unauthorized logins from unknown devices to report the activity to the Internet Crime Complaint Center. The agency also advised against opening click links that contain access codes the user did not request.
The warning adds to an ongoing series of cybersecurity alerts as Phishing-as-a-Service platforms grow more sophisticated. The same week, cybersecurity researchers reported that millions of home devices were being secretly used to power cyberattacks. The new campaign underscores the evolution of phishing from isolated schemes to commercialized attack infrastructure available to anyone with an internet connection and a Telegram account.