Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram

Blog

Cyber Attacks Cyber Crime Cyber Defences Cyber Insurance Cyber Scam Cyber Threat Protection Cyber Threats Cyber Threats in Transit Microsoft Microsoft Apps Microsoft Azure Microsoft Windows
_

New FBI Alert: Kali365 Phishing Kit Bypasses Microsoft 365 MFA

The FBI’s Internet Crime Complaint Center (IC3) recently issued a Public Service Announcement (May 21, 2026) warning organizations about a rapidly emerging threat targeting Microsoft 365 environments: Kali365, a Phishing-as-a-Service (PhaaS) platform designed to bypass traditional security controls—including multi-factor authentication (MFA). [ic3.gov]

This is not a typical phishing campaign. Kali365 represents a shift in how attackers gain access—leveraging OAuth token abuse instead of credential theft—making it significantly harder to detect and defend against.

What Is Kali365?

Kali365 is a subscription-based phishing toolkit distributed via Telegram that enables threat actors—regardless of technical skill—to launch sophisticated attacks against Microsoft 365 users. [ic3.gov]

Key capabilities include:

  • AI-generated phishing emails
  • Automated campaign deployment
  • Real-time victim tracking dashboards
  • OAuth token capture functionality

The result: low barrier to entry, high impact attacks that scale quickly across organizations.

How the Attack Works (And Why MFA Fails)

Unlike traditional phishing, Kali365 does not rely on stealing usernames and passwords. Instead, it exploits Microsoft’s legitimate authentication mechanisms.

Step-by-Step Attack Flow:

  1. Phishing Lure
    The attacker sends an email impersonating Microsoft or a trusted cloud service.
    The email includes a device authentication code and instructions.
  2. User Interaction
    The victim is directed to a legitimate Microsoft login page and asked to enter the code.
  3. Authorization Abuse
    By entering the code, the user unknowingly authorizes the attacker’s device.
  4. Token Capture
    The attacker captures OAuth access and refresh tokens, granting account access.
  5. Persistent Access
    With tokens, attackers gain persistent access to:
  1. Outlook
  2. Teams
  3. OneDrive

…without needing credentials or triggering MFA again. [ic3.gov]

Why This Is a Big Deal

This attack method is particularly dangerous because:

  • Bypasses MFA entirely
  • Uses legitimate Microsoft authentication flows
  • Leaves minimal traditional indicators of compromise
  • Provides persistent access without passwords

In short, this is a session hijacking attack, not a login attack.  Here is the full article website: https://www.ic3.gov/PSA/2026/PSA260521

Recommended Security Controls (Critical for M365 Tenants)

To mitigate Kali365-style attacks, organizations need to move beyond basic MFA and implement conditional access and identity hardening strategies.

1. Restrict Device Code Flow

Device code authentication is central to this attack.

  • Create Conditional Access policies to block device code flow globally
  • Allow exceptions only where business-critical

2. Audit Existing Usage

Before enforcement:

  • Identify applications or workflows using device code authentication
  • Validate if they are still required

3. Block Authentication Transfer

Prevent users from transferring sessions between devices:

  • Disable authentication transfer policies
  • Reduce cross-device token abuse risk

4. Protect Break-Glass Accounts

Ensure emergency access remains available:

  • Exclude trusted admin accounts from restrictive policies
  • Monitor them closely

These are directly aligned to FBI/CISA defensive recommendations. [ic3.gov]

Detection Considerations for IT Teams

Traditional security tools may not flag this activity. Focus on:

  • Unusual OAuth token issuance events
  • Suspicious “compliant” device sign-ins
  • Unexpected Active Sessions or Devices
  • Impossible travel or anomalous access patterns

Logging and monitoring via:

  • Microsoft Entra ID (Azure AD) sign-in logs
  • Defender for Cloud Apps
  • Conditional Access insights

Strategic Takeaway for Businesses

Kali365 highlights a critical evolution in cyber threats:

Attackers are moving away from credentials—and targeting identity trust mechanisms directly.

For organizations, this reinforces the need to:

  • Adopt Zero Trust identity principles
  • Implement advanced Conditional Access policies
  • Treat OAuth tokens as high-value assets
  • Continuously audit authentication flows

Final Thoughts

Phishing is no longer just about tricking users into giving up passwords it’s about tricking systems into granting access.

Kali365 proves that even well-secured environments with MFA enabled can be compromised if identity controls are not properly configured.

How BVA Can Help

At BVA Technology Services, we help organizations move beyond basic security into true identity protection and Zero Trust architecture, including:

  • Microsoft 365 Conditional Access design & enforcement
  • OAuth and token security audits
  • Phishing-resistant authentication strategies
  • Security posture assessments aligned with NIST & CIS

Leave a comment

Your email address will not be published. Required fields are marked *