Kali365 Phishing-as-a-Service: A New Threat to Microsoft 365 Users
The FBI has published an advisory on Kali365, a Telegram-based service that allows cybercriminals to capture legitimate OAuth tokens, enabling widespread access to Microsoft 365 environments. This phishing-as-a-service platform lowers the barrier of entry for less-technical attackers, providing them with AI-generated phishing lures, automated campaign templates, and real-time targeted individual/entity tracking dashboards.
First seen in April 2026, Kali365 has primarily been distributed via Telegram, enabling cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting the user's credentials. Hackers send a phishing email to victims impersonating trusted cloud productivity and document-sharing services, containing codes and instructions to visit legitimate Microsoft verification pages.
How Kali365 Works
When the victim visits the page and enters the code, they unknowingly authorize the attacker's device to access their account. With the OAuth access and refresh tokens, the hackers can access Microsoft 365 services like Outlook, Teams, and OneDrive without needing a password or additional verification.
Cybersecurity firms, including Proofpoint, IBM, and Huntress, have released warnings about hundreds of attacks involving hackers using Kali365 and other phishing-as-a-service platforms that enabled the same type of campaigns. Incident responders at Arctic Wolf dealt with a large campaign of attacks enabled by Kali365 in April, where cybercriminals initiated device login requests and tricked victims into completing the authorization on their behalf.
Features and Pricing of Kali365
Arctic Wolf gained access to the Kali365 system and found that it offers three tiers, ranging in cost from $250 for 30 days to $2,000 for 365 days. The platform allows cybercriminals to generate branded phishing lures using well-known services like Adobe, DocuSign, and SharePoint. It offers lures in dozens of languages, layouts, and design themes, and even provides a downloadable desktop version.
Once victims are tricked, the OAuth access and refresh tokens are captured and stored by the Kali365 platform, which can be shared with others and reused. These tokens provide immediate and persistent access to Microsoft 365 services, enabling a full post-compromise workflow, including mailbox access, contact harvesting, lateral phishing, keyword monitoring for business email compromise, and administrative actions.
Professionalization of the Cybercriminal Ecosystem
Cybersecurity experts say Kali365 is another example of how the cybercriminal ecosystem is professionalizing and dispersing as less skilled actors get involved. This trend is concerning, as it makes it easier for attackers to launch sophisticated phishing campaigns without requiring extensive technical expertise.
On Tuesday, Microsoft disrupted another as-a-service cybercriminal tool that abused legitimate services to enable the delivery of malware. This move highlights the ongoing cat-and-mouse game between cybersecurity professionals and cybercriminals, where new threats and countermeasures are constantly emerging.
- Multiple cybersecurity companies warned about hundreds of attacks enabled by Kali365 in April.
- Kali365 offers three tiers, ranging in cost from $250 for 30 days to $2,000 for 365 days.
- The platform provides AI-generated phishing lures, automated campaign templates, and real-time targeted individual/entity tracking dashboards.
The FBI's advisory on Kali365 serves as a reminder of the importance of being vigilant when receiving emails or messages that ask for sensitive information or authentication. Users should always verify the authenticity of requests and be cautious when clicking on links or entering codes, especially when it comes to sensitive services like Microsoft 365.
Source: The Record