Kali365 Phishing-As-A-Service Bypasses MFA To Hijack Microsoft 365 Accounts

The US Federal Bureau of Investigation has issued a warning about a new Phishing-as-a-Service platform called Kali365, which is designed to compromise Microsoft 365 accounts. This cybercrime tool enables attackers to bypass traditional security protections and gain persistent access to accounts without raising suspicion.

Phishing‑as‑a‑Service (PhaaS) is an emerging cybercrime model in which ready‑made phishing tools and services are sold or shared, which allows even inexperienced individuals to launch sophisticated attacks. These platforms provide prebuilt templates, automation features, and user‑friendly dashboards. PhaaS kits are becoming increasingly advanced and widely used, which allows rookie hackers to carry out highly convincing and large‑scale phishing campaigns with minimal effort.

How does Kali365 bypass MFA and hijack user sessions?

According to a new report from the FBI, this new Phishing-as-a-Service (PhaaS) tool called Kali365 was first observed in April 2026. It’s distributed through Telegram and is designed to help cybercriminals target Microsoft 365 customers. This makes it particularly dangerous because it bypasses common security protections.

This attack works through several carefully designed steps, beginning with a phishing email that impersonates a trusted service, such as Microsoft tools, and tricks the victim into following instructions. The message directs the user to enter a device code on a legitimate Microsoft login page. However, the victim unknowingly authorizes the attacker’s access, which allows them to capture authentication tokens and maintain long‑term access to services like Outlook, Microsoft Teams, and OneDrive without re‑authentication.

“Kali365 has primarily been distributed via Telegram, enabling cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting the user’s credentials,” the FBI explained.

Microsoft 365 users face growing phishing-as-a-service threats

Kali365 provides tools, templates, dashboards, and AI‑generated phishing messages, which makes it easier for even low‑skill attackers to launch campaigns. The federal agency encourages victims to report incidents to the IC3 and provide details like phishing emails, login activity, and suspicious devices.

This is not the first instance of a PhaaS operation focusing on Microsoft customers. Previously, Microsoft collaborated with cybersecurity authorities to disrupt major phishing services such as Tycoon 2FA, which had been targeting Microsoft 365 accounts. Last year, Microsoft worked alongside Cloudflare to disrupt another organized phishing platform aimed at stealing Microsoft credentials.

How can organizations defend against token theft attacks?

The FBI recommends strengthening security by reducing the ways attackers can exploit login processes. An important step is to limit or completely disable device code authentication where it is not necessary, because this feature can be abused in phishing attacks. Moreover, organizations should apply conditional access controls to block or restrict risky sign‑in methods, which ensure that only verified and secure login attempts are allowed. It’s also advised to review how these authentication methods are currently used so that any legitimate business needs are identified before restrictions are enforced.

Administrators should also stop authentication from being transferred between devices, which attackers can misuse to gain unauthorized access. Moreover, they should maintain a small number of well‑protected emergency access accounts to prevent being locked out of critical systems while implementing stricter controls. These steps help reduce vulnerabilities, strengthen account protection, and make it much harder for attackers to exploit authentication systems.