FBI warns of Kali phishing scam hitting Microsoft OAuth tokens — warns 'Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures'

News
By published

A new phishing kit is being offered on Telegram

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)
  • FBI flags Kali365, a phishing kit sold on Telegram which steals Microsoft 365 OAuth tokens and bypasses MFA
  • Victims are tricked into entering device codes on legitimate Microsoft pages, unknowingly authorizing attacker access to Outlook, Teams, and OneDrive
  • Mitigation steps include restricting device code flow, enforcing conditional access policies, auditing usage, and blocking authentication transfer policies

The FBI has warned of a new phishing kit which “lowers the barrier of entry” and allows even low-skilled malicious actors an easy way to compromise people’s Microsoft 365 accounts.

In a Public Service Announcement (PSA), Microsoft said that a new phishing kit, called Kali365, started making rounds on Telegram in April 2026. It is advertised as a simple way to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) without intercepting the user’s credentials.

“Through the Kali365 platform subscription, cyber threat actors can capture "OAuth" tokens and gain persistent access to targeted individuals/entities' Microsoft 365 environments,” the FBI warned.

Latest Videos From

Capturing tokens

The kit allows threat actors to send phishing emails that spoof trusted cloud productivity and document-sharing services. These emails also contain a device code with instructions to visit a legitimate Microsoft verification page and enter it. Victims that do as they’re told and paste in the device code are actually authorizing the attacker’s device to access their account, the FBI explained.

They can then capture OAuth access and refresh tokens, gaining unabated access to Microsoft 365 accounts and all the services found inside, such as Outlook, Teams, and OneDrive.

To mitigate the risk, users are advised to restrict device code flow, create a conditional access policy, audit existing code flow usage, and block authentication transfer policies. Users that cannot completely restrict device code flow usage are advised to exclude emergency access accounts to prevent lockouts.

Phishing kits are platforms offered for a fee on the dark web, through which malicious actors can create entire phishing workflows. They include everything from templated email messages that spoof major brands, to fully-functional landing pages for capturing login credentials and MFA codes. Depending on the features used, they can be used for as little as $10 a month, going up to $1,000 and more.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.