The US Federal Bureau of Investigation (FBI) has issued a public service announcement warning organizations and individuals about Kali365, a Phishing-as-a-Service (PhaaS) platform first observed in April 2026. The service is distributed primarily through Telegram and enables even less-technical attackers to hijack Microsoft 365 accounts by stealing OAuth access and refresh tokens, bypassing the need for passwords or multi-factor authentication (MFA). This gives almost anyone the means to carry out stealthy, persistent attacks against Microsoft 365 environments, including Outlook, Teams, and OneDrive.[1]
See: https://redskyalliance.org/xindustry/phishing-saas
The attack begins with a phishing email impersonating trusted cloud productivity or document-sharing services. The message contains a device code and instructions directing the recipient to a legitimate Microsoft verification page. When the user enters the code, they unknowingly authorize the attacker’s device to access their account.
The Kali365 platform then captures the OAuth tokens. These tokens grant the attacker persistent access to the victim’s Microsoft 365 services without requiring any further credentials or MFA prompts. Subscription to the service also provides users with AI-generated phishing lures, automated campaign templates, real-time tracking dashboards, and token capture capabilities, significantly lowering the technical barrier for cybercriminals.
Jake Moore, the Global Cybersecurity Advisor at ESET, commented on the implications of such PhaaS operations. “Phishing as a service operations make a simple threat vector even easier to use and lower the bar for virtually anyone to take advantage of,” he said. “When software can be used to remove any form of evidence trail of who may be behind these services, it makes these operations risk-free and relatively inviting to criminals.”
Moore added that attackers can layer multiple platforms together, making it harder for chief information security officers and security teams to defend against them. “The speed of these modern scam adaptations can also leave detection systems wondering what has happened,” he noted. “Employee awareness is more vital than ever, but it’s complicated when the scams are continually adapting to bypass traditional security and are designed to look more legitimate.”
He warned that many organizations have historically viewed OAuth and persistent cloud sessions as relatively simple trust mechanisms. “One time authentication has often been seen as a staple ‘strong enough’ but when service attacks improve, defenders need to adapt and move to keep up.”
The FBI recommends restricting device code flow authentication to limit this style of attack. Organizations should create conditional access policies to block device code flow for all users (with limited exceptions for essential business processes) and audit existing usage first. Additional steps include blocking authentication transfer policies that allow users to move authentication between devices.
If an account is compromised, the FBI urges immediate reporting to the Internet Crime Complaint Center at www.ic3.gov, including any phishing emails and details of unauthorized sessions. The PSA highlights how PhaaS kits such as Kali365 continue to evolve, making sophisticated cloud account compromises accessible to a wider range of threat actors.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification/Tier I analysis service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/rt/14363376183548501
[1] https://www.cybersecurityintelligence.com/blog/fbi-issues-a-warning-about-a-powerful-new-phaas-platform--9418.html
Comments