The FBI has issued a critical advisory warning organizations about a fast-growing phishing campaign targeting enterprise cloud environments. The Kali365 MFA bypass attack is leveraging a sophisticated phishing-as-a-service (PhaaS) platform designed to compromise Microsoft 365 accounts by stealing OAuth tokens, effectively bypassing multi-factor authentication (MFA).

Unlike traditional phishing campaigns that focus on credentials, Kali365 represents a shift toward token-based attacks, allowing threat actors to gain persistent access without ever needing passwords or MFA codes.

Key Details

Tracked under FBI Alert I-052126-PSA and first observed in April 2026, Kali365 has quickly gained traction in cybercriminal communities.

The platform is distributed primarily via Telegram channels, where attackers can subscribe and launch campaigns with minimal expertise.

Kali365 includes a range of built-in capabilities:

• AI-generated phishing email templates impersonating Microsoft and trusted services
• Automated phishing campaign deployment tools
• Real-time victim tracking dashboards
• OAuth token capture mechanisms

This combination lowers the barrier to entry, enabling even low-skilled actors to carry out advanced Microsoft 365 account takeover attacks at scale.

Technical Analysis

Exploiting Device Code Authentication

Kali365’s most dangerous feature is its abuse of Microsoft’s device code authentication flow, a legitimate login method designed for devices with limited input capabilities.

The attack follows a structured social engineering chain:

1. Phishing Lure

Victims receive emails mimicking legitimate services such as Microsoft or document-sharing platforms.

• Messages include a device authentication code
• Instructions appear legitimate and urgent

2. User Authorization

The victim is directed to a genuine Microsoft login page and asked to enter the provided code.

Because the domain is legitimate, this step builds trust and bypasses suspicion.

3. Token Theft

Once the code is entered, the victim unknowingly authorizes the attacker’s session.

• Attackers capture OAuth access and refresh tokens
• No passwords or MFA interaction is required

4. Persistent Access

Using the stolen tokens, attackers can:

• Access Outlook emails
• Read and exfiltrate OneDrive files
• Monitor Teams communications
• Maintain long-term access via refresh tokens

This technique is particularly dangerous because it leverages legitimate authentication workflows, making detection extremely difficult.

Impact and Risks

Why This Attack Is Different

Traditional phishing alerts often rely on:

• Suspicious login attempts
• Password resets
• MFA anomalies

However, Kali365 bypasses these signals entirely by capturing session tokens instead of credentials.

Key Risks

• Account takeover without credential theft
• Extended attacker dwell time due to lack of alerts
• Silent access to sensitive corporate communications
• Data exfiltration across cloud services
• Increased risk of lateral movement within organizations

Who Is Targeted

• Enterprises relying heavily on Microsoft 365
• Remote and hybrid workers
• Organizations without strict identity access controls

Expert Recommendations

Immediate Mitigation Steps

• Restrict or disable device code authentication flows where possible
• Implement conditional access policies to block unauthorized device logins
• Audit existing dependencies before making changes

Strengthen Identity Security

• Monitor for unusual token usage patterns
• Enforce least privilege access policies
• Implement continuous session validation

Detection and Monitoring

• Track abnormal sign-ins and token reuse
• Identify new or unknown device sessions
• Monitor OAuth application permissions

Incident Response Preparedness

• Maintain emergency access accounts
• Regularly review active sessions and revoke suspicious tokens
• Report incidents to FBI IC3 (ic3.gov)

Industry Context

The rise of Kali365 highlights a broader shift in cyberattacks toward identity-based threats and token abuse.

Modern attackers are moving beyond traditional phishing to exploit:

• OAuth and session-based authentication systems
• Trusted cloud workflows
• Weak conditional access configurations

This trend aligns with the growth of phishing-as-a-service platforms, where attackers can deploy highly sophisticated campaigns without advanced technical skills.

As organizations adopt cloud-first strategies, identity systems like Microsoft 365 have become prime targets, making identity security the new frontline in cybersecurity.

Conclusion

The Kali365 MFA bypass attack represents a significant evolution in phishing tactics, demonstrating how attackers can exploit legitimate authentication flows to gain persistent access.

Organizations must rethink traditional defenses and focus on identity security, token monitoring, and conditional access controls to protect against these advanced attacks.

In today’s threat landscape, compromising identity is more powerful than exploiting vulnerabilities—and Kali365 proves just how effective that strategy can be.

---

FAQ SECTION

1) What is Kali365?

Kali365 is a phishing-as-a-service platform used to target Microsoft 365 users by stealing OAuth tokens and bypassing MFA.

2) How does Kali365 bypass MFA?

It tricks users into authorizing a device code login, allowing attackers to capture authentication tokens without needing passwords or MFA codes.

3) What data can attackers access?

Attackers can read emails, access files in OneDrive, monitor Teams communication, and maintain long-term access.

4) Why is this attack hard to detect?

Because it uses legitimate Microsoft authentication flows, it doesn’t trigger typical security alerts like failed logins or MFA challenges.

5) How can organizations protect against Kali365?

They should restrict device code authentication, implement conditional access policies, monitor token usage, and audit active sessions.