The FBI has issued an urgent security warning regarding Kali365, a new “Phishing-as-a-Service” platform that allows attackers to bypass Microsoft 365 multi-factor authentication (MFA). By targeting OAuth device codes, scammers can gain unauthorized access to Outlook, Teams, and OneDrive accounts without ever needing a user’s password.
How does the Kali365 scam bypass multi-factor authentication?
Scammers use Kali365 to send phishing emails that impersonate trusted document-sharing services. According to the FBI, these emails contain a device code and specific instructions for the recipient to “verify” the document. When a user follows these instructions, they inadvertently provide the attacker with an OAuth token.
This method is particularly effective because it targets the authentication process itself rather than the password. Once the attacker captures the OAuth device code, they can slip past the security layers that typically rely on MFA codes. This allows them to establish a session within the victim’s Microsoft environment.
Why is Phishing-as-a-Service (PhaaS) a growing threat?
Kali365 represents a shift in how cybercrime is organized. The platform is sold to attackers via a subscription model costing $250 per month. This pricing structure lowers the barrier to entry, allowing individuals with limited technical skills to launch sophisticated, automated attacks.
The FBI, which first detected Kali365 in April, describes the platform as an “emerging Phishing-as-a-Service platform.” The agency stated that Kali365 provides users with several advanced tools, including:
- AI-generated phishing lures to make emails look more convincing.
- Automated campaign templates for mass distribution.
- Real-time dashboards for tracking targeted individuals or entities.
- Capabilities to capture OAuth tokens directly.
NordPass reports that this “as-a-service” model allows even low-skill hackers to access tools that were previously reserved for highly technical criminal groups. This democratization of cybercrime means the volume of phishing attempts is likely to increase.
What are the future trends in identity-based cyberattacks?
The emergence of Kali365 highlights a broader trend in the cybersecurity industry: the move from password theft to session and token theft. As organizations implement stronger MFA, attackers are pivoting to exploit the “trust” established after a user has already authenticated.
The rise of AI-driven social engineering
The use of AI-generated lures mentioned by the FBI suggests that future phishing attacks will be harder to detect visually. As large language models become more accessible, scammers can create perfectly written, context-aware emails that lack the typical spelling and grammar errors used to identify fraud.
The exploitation of OAuth and device codes
As more services move toward “passwordless” authentication and OAuth-based permissions, the “identity” of a user becomes the primary target. Attackers are increasingly looking for ways to hijack the digital tokens that keep users logged in, rather than trying to crack the original credentials.
How to protect your Microsoft 365 account
The FBI advises users to remain vigilant regarding any unexpected communications. If you receive a link or an access code that you did not specifically request, do not interact with it. Users should also monitor their accounts for any unauthorized devices or active sessions that they do not recognize.
If you suspect your account has been compromised, the FBI recommends reporting the incident to the Internet Crime Complaint Center (IC3). Promptly auditing your “active sessions” in Microsoft account settings can help identify and terminate unauthorized access.
Frequently Asked Questions
What is Kali365?
Kali365 is a Phishing-as-a-Service platform that scammers pay a $250 monthly subscription to use. It provides tools to launch automated phishing campaigns against Microsoft 365 users.
How does an OAuth scam work?
Scammers send a phishing email containing a device code. If a user enters this code into a fraudulent site, the attacker captures an OAuth token, which allows them to bypass MFA and access the user’s account.
Can I still be hacked if I use Multi-Factor Authentication (MFA)?
Yes. While MFA is a critical security layer, platforms like Kali365 are specifically designed to bypass it by stealing the session tokens or device codes created during the authentication process.
Stay informed on the latest cybersecurity threats. Have you noticed an increase in suspicious emails lately? Let us know in the comments below or subscribe to our newsletter for regular security updates.
