FBI Issues Warning on Kali365 Phishing Service Exploiting Microsoft 365 Accounts
Executive Summary
In April 2026, the FBI identified 'Kali365,' a Phishing-as-a-Service (PhaaS) platform distributed via Telegram, enabling cybercriminals to hijack Microsoft 365 accounts. By exploiting Microsoft's OAuth 2.0 Device Authorization grant flow, attackers trick users into entering device codes on legitimate Microsoft pages, granting unauthorized access to services like Outlook, Teams, and OneDrive. This method bypasses multi-factor authentication (MFA) and does not require stealing user credentials. (bleepingcomputer.com)
The emergence of Kali365 underscores a significant shift in cyber threats, where sophisticated phishing tools are now accessible to less-skilled attackers. This trend highlights the urgent need for organizations to reassess and strengthen their authentication protocols and user education to mitigate evolving phishing tactics. (ic3.gov)
Why This Matters Now
The proliferation of PhaaS platforms like Kali365 lowers the barrier for cybercriminals, making advanced phishing attacks more prevalent. Organizations must urgently enhance their security measures to protect against these increasingly accessible and effective threats.
Attack Path Analysis
Attackers utilized the Kali365 phishing-as-a-service platform to send AI-generated phishing emails, tricking users into entering device codes on legitimate Microsoft login pages, thereby granting unauthorized access to Microsoft 365 accounts. With access tokens obtained, attackers bypassed multi-factor authentication and gained persistent access to victims' accounts. They then escalated privileges by creating malicious inbox rules and registering new devices to maintain control. Subsequently, attackers moved laterally within the network, accessing additional resources and sensitive data. Command and control were established through the compromised accounts, allowing continuous monitoring and data exfiltration. Finally, attackers exfiltrated sensitive information from the compromised accounts, leading to potential data breaches and organizational impact.
Kill Chain Progression
Initial Compromise
Description
Attackers sent AI-generated phishing emails containing device codes, tricking users into entering them on legitimate Microsoft login pages, thereby granting unauthorized access to Microsoft 365 accounts.
MITRE ATT&CK® Techniques
Spearphishing Link
Valid Accounts
Application Layer Protocol: Web Protocols
Application Layer Protocol: Web Protocols
Email Collection: Mail Application
Account Manipulation
Valid Accounts: Cloud Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that security policies and operational procedures for managing system and network security are documented, in use, and known to all affected parties.
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Implement strong authentication mechanisms
Control ID: Identity and Access Management
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Kali365 phishing-as-a-service targeting Microsoft 365 bypasses MFA through OAuth device code abuse, compromising banking authentication and regulatory compliance frameworks.
Health Care / Life Sciences
Device code phishing attacks against Microsoft 365 environments threaten HIPAA compliance and patient data security through session token theft and MFA bypass.
Information Technology/IT
IT service providers face amplified risk from Kali365 PhaaS enabling low-skilled attackers to compromise Microsoft 365 client environments and cloud SaaS platforms.
Government Administration
FBI-warned Kali365 platform poses critical threat to government Microsoft Entra accounts through automated phishing campaigns and adversary-in-the-middle cookie capture techniques.
Sources
- FBI warns of Kali365 phishing service targeting Microsoft 365 accountshttps://www.bleepingcomputer.com/news/security/fbi-warns-of-kali365-phishing-service-targeting-microsoft-365-accounts/Verified
- Kali365 Phishing-as-a-Service Kit Hijacks Microsoft 365 Access Tokenshttps://www.ic3.gov/PSA/2026/PSA260521Verified
- Inside an AI‑enabled device code phishing campaignhttps://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-based access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix Zero Trust CNSF may not prevent initial credential compromise, it could limit the attacker's ability to exploit these credentials to access sensitive resources.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could limit the attacker's ability to escalate privileges by enforcing strict access controls and preventing unauthorized device registrations.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could limit the attacker's ability to move laterally by enforcing strict segmentation and monitoring internal traffic.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could limit the attacker's ability to establish command and control channels by monitoring and controlling outbound communications.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could limit the attacker's ability to exfiltrate data by controlling and monitoring outbound data transfers.
While Aviatrix Zero Trust CNSF may not eliminate all impacts, it could significantly reduce the scope of data exfiltration and limit the overall organizational damage.
Impact at a Glance
Affected Business Functions
- Email Communication
- Document Management
- Collaboration Platforms
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive corporate communications, internal documents, and collaboration data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement within the network.
- • Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Deploy Threat Detection & Anomaly Response systems to identify and respond to unusual activities indicative of compromise.
- • Enforce Multi-Factor Authentication (MFA) and regularly audit authentication methods to ensure their effectiveness.
- • Educate users on recognizing phishing attempts and the importance of verifying authentication requests, especially those involving device codes.
