The US Federal Bureau of Investigation (FBI) has issued a public service announcement warning organizations and individuals about Kali365, a Phishing-as-a-Service (PhaaS) platform first observed in April 2026. The service is distributed primarily through Telegram and enables even less-technical attackers to hijack Microsoft 365 accounts by stealing OAuth access and refresh tokens, bypassing the need for passwords or multi-factor authentication (MFA). This gives almost anyone the means to carry
