Kali365 Phishing: FBI Warns of Microsoft 365 Token Hijacking

On May 21, 2026, the Federal Bureau of Investigation (FBI), via the Internet Crime Complaint Center (IC3), issued a critical Public Service Announcement (Alert Number I-052126-PSA) warning organizations about a dangerous cyber threat. At the center of this warning is Kali365 phishing, a rapidly proliferating Phishing-as-a-Service (PhaaS) platform specifically engineered to hijack Microsoft 365 access and refresh tokens. First observed active in the wild in April 2026, this malicious toolkit has experienced explosive growth, fueled by aggressive marketing across underground Telegram channels. What makes this threat exceptionally hazardous is its tactical departure from traditional credential harvesting. Instead of tricking users into revealing passwords, the Kali365 infrastructure abuses Microsoft’s legitimate OAuth 2.0 device authorization workflows to bypass multi-factor authentication (MFA) entirely. This leaves traditional email gateways and security awareness programs struggling to keep pace.

The Evolution of Phishing-as-a-Service (PhaaS) and Cybercrime

Historically, conducting highly sophisticated cyber campaigns required a substantial level of technical proficiency, including manual infrastructure deployment and complex reverse-proxy configurations. However, the rise of the Phishing-as-a-Service model has democratized the threat landscape. Platform providers now package and lease cutting-edge offensive capabilities on a subscription basis, lowering the entry barrier for low-skilled threat actors. In this shifting landscape, the Kali365 phishing kit has emerged as a major player alongside other dangerous toolkits like EvilTokens, Tycoon2FA, and BlueKit.

According to researchers from Proofpoint, Huntress, and Arctic Wolf, these services operate as fully functioning software businesses. Affiliates are granted access to administrative dashboards, automated campaign templates, and real-time victim tracking interfaces. Some operators even run dedicated customer service pipelines on Telegram, offering onboarding tutorials and tiered pricing. Furthermore, security experts note that the continuous updates of the Kali365 codebase are heavily accelerated by “vibe coding”—the use of generative AI platforms to rapidly prototype, mutate, and optimize malicious frameworks. This allows Kali365 developers to quickly adapt to defensive measures, introducing randomized API endpoints and highly personalized localization tactics that allow non-technical operators to target regional enterprises with flawless language.

Abusing the Legitimate: How OAuth Device Code Flows Are Exploited

To understand why traditional cyber defenses struggle against Kali365 phishing campaigns, security professionals must examine the target mechanism: Microsoft’s OAuth 2.0 Device Authorization Grant (defined under the IETF RFC 8628 protocol). Originally designed to facilitate authentication on input-constrained devices—such as smart TVs, printers, and command-line interfaces—the device code flow allows a headless device to display a short alphanumeric code and a URL (such as https://microsoft.com/devicelogin). The user then navigates to that URL on a browser-enabled device, signs in, and enters the code. Once verified, the identity provider (Microsoft Entra ID) issues security tokens to the initial device, authorizing the session.

The core structural vulnerability lies in the inherent trust assumptions of this protocol. When an attacker utilizes a tool like Kali365, they act as the “input-constrained device.” They initiate an authentication request to the Microsoft Entra ID endpoint