The FBI has issued an urgent warning after uncovering a sophisticated cybercrime operation targeting Microsoft 365 users worldwide.
A newly detected toolkit is being distributed across the internet, allowing even low-skilled individuals to deploy highly convincing, automated phishing scams. Security officials are urging organisations to review their defensive measures immediately as the barrier to entry for complex cloud breaches continues to fall.
The FBI has warned about a recently discovered cybercrime platform known as Kali365, a 'Phishing-as-a-Service' (PhaaS) toolkit that targets Microsoft 365 users by overriding multi-factor authentication (MFA) safeguards.
Today the FBI released a #PSA warning the public about Kali365—an emerging Phishing-as-a-Service (PhaaS) platform. Kali365, first seen in April 2026, enables cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without… pic.twitter.com/AalckpLVHG
— FBI Cyber Division (@FBICyberDiv) May 21, 2026
Telegram channels are actively promoting a setup first spotted in April 2026 that essentially hands novice scammers the keys to running highly sophisticated phishing campaigns.
Inside the Kali365 Subscription Platform
This cybercrime subscription service automates scam operations, giving attackers the tools they need to breach cloud accounts, with a particular focus on Microsoft 365 systems.
The FBI revealed that the service equips subscribers with an off-the-shelf toolkit featuring:
* Phishing templates and emails crafted by AI
* Systems that manage scams automatically
* Dashboards for monitoring targets in real time
* Features designed to hijack OAuth tokens
By removing the need for technical expertise, the platform allows cybercriminals to scale up their operations and reach a far wider pool of targets.
How Novice Hackers Launch the Attacks
Federal investigators mapped out the step-by-step process used by criminals operating the Kali365 setup.
The phishing lure
Targets receive emails that mimic legitimate document-sharing platforms or trusted cloud services. Tucked inside the messages are a device code and instructions directing the recipient to an official Microsoft login page.
The authentication trap
By entering the supplied code on the genuine Microsoft page, the user inadvertently grants permission for the hacker's machine to connect.
The token theft
As this happens, the infrastructure intercepts OAuth access and refresh tokens, handing the perpetrators authenticated access to the compromised account.
Maintaining a foothold
With these tokens in hand, intruders can freely navigate systems such as Teams, Outlook and OneDrive, completely bypassing passwords and avoiding any further identity verification checks.
The Bureau cautioned that this method enables intruders to quietly retain access to hijacked accounts for extended periods.
Why Token Hijacking Multiplies the Threat
Rather than targeting traditional credentials, Kali365 focuses on OAuth token-based authentication.
This shift introduces serious complications because:
* User passwords are never actually intercepted
* Standard identity verification checks are completely neutralised
* Intruders can retain access even if credentials are reset
As a result, identifying the breach and reclaiming control becomes a much steeper challenge for both individual users and security departments.
Essential Security Guidance From the Bureau
To counter the threat, federal officials are urging enterprises to tighten defences around their Microsoft 365 login infrastructure.
Recommended measures include:
* Turning off or heavily restricting device code authentication pathways
* Enforcing strict conditional access parameters
* Reviewing device code activity to ensure it aligns with legitimate business operations
* Preventing login authorisations from being passed between different machines
* Keeping break-glass accounts exempt from these rules to avoid total lockouts
Additionally, organisations have been advised to closely monitor sign-in logs and flag any unauthorised sessions as soon as they appear.
The Global Rise of Automated Phishing
The emergence of Kali365 highlights a growing shift within the cybercrime underworld: the rapid expansion of Phishing-as-a-Service networks that package sophisticated hacking capabilities into simple subscription products.
Industry specialists note that this commercial model is accelerating the pace of digital attacks worldwide, with a particular focus on modern, cloud-reliant workplaces that depend on platforms such as Microsoft 365.
Ultimately, the FBI's alert underscores the growing importance of robust login defences and constant oversight, especially as cybercriminals move beyond traditional password theft and increasingly exploit weaknesses in identity verification systems.
