The US Federal Bureau of Investigation (FBI) has issued a public service announcement warning organizations and individuals about Kali365, a Phishing-as-a-Service (PhaaS) platform first observed in April 2026. The service is distributed primarily through Telegram and enables even less-technical attackers to hijack Microsoft 365 accounts by stealing OAuth access and refresh tokens, bypassing the need for passwords or multi-factor authentication (MFA). This gives almost anyone the means to carry
oauth (3)
Microsoft representatives have warned that adversaries use OAuth applications as an automation tool to deploy virtual machines (VMs) for cryptocurrency mining and launch phishing attacks. "Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity," the Microsoft Threat Intelligence team said in an analysis. The misuse of OAuth also enables threat actors to maintain access to applications even if the
The Microsoft Security Intelligence team is warning that Office 365 customers are receiving phishing emails that aim to trick them into giving OAuth permissions to a bogus app that then lets attackers read and write emails. The team reported that attackers are sending the OAuth phishing emails to "hundreds" of Office 365 customers.
OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other we
