Kali365 Scam: FBI Warns of New Microsoft 365 Fraud

What Happened?

The FBI has issued an urgent security alert about Kali365, a phishing-as-a-service (PhaaS) platform specifically targeting Microsoft 365 users. According to the agency, Kali365 allows cybercriminals to intercept OAuth device authorization codes, enabling them to access Teams, Outlook, and OneDrive accounts without a password and bypassing multi-factor authentication (MFA). The alert, published on June 15, 2025, was initially reported by Slashdot and picked up by The Hill. The FBI first detected Kali365 in April 2025, and has since observed an increase in attacks targeting organizations using Microsoft 365.

How Does the Attack Work?

The attack begins with a phishing email impersonating a legitimate document-sharing service, such as DocuSign or SharePoint. The message includes a device code and instructions for the victim to enter it on a fake login page. By doing so, the attacker obtains an OAuth token that allows persistent access to the victim's account, even if the victim later changes their password. This method exploits the OAuth 2.0 device authorization grant flow, designed for devices without a full browser, but can be abused if an attacker convinces the victim to enter the code on a malicious site. Once the token is obtained, the attacker can access emails, files on OneDrive, calendars, and contacts, and potentially spread to other services linked to the Microsoft account.

Why Is This Important?

Kali365 represents a significant evolution in the threat landscape because it lowers the barrier to entry for non-technical cybercriminals. The platform is offered via a monthly subscription of $250, and includes AI-generated phishing templates, real-time victim tracking dashboards, and OAuth token capture capabilities. According to the FBI alert, this allows attackers with limited skills to carry out sophisticated campaigns that previously required advanced knowledge. Moreover, the fact that it bypasses MFA underscores a critical vulnerability in Microsoft 365 security. While MFA remains an effective defense against many attacks, Kali365 demonstrates it is not infallible when combined with social engineering and OAuth protocol abuse. NordPass noted that Kali365 is a clear example of how AI is being used to boost cybercrime, making it easier to create increasingly convincing phishing lures.

Consequences for Businesses and Users

The consequences of a successful attack can be severe: theft of sensitive data, access to emails and cloud files, and potential spread to other services linked to the Microsoft account. For businesses, this can lead to data breaches, financial losses, and reputational damage. The FBI warns that attacks specifically target organizations using Microsoft 365, including companies, government agencies, and educational institutions. Since OAuth tokens can be valid for hours or days, the attacker has a wide window to extract data. Additionally, because no password is required, traditional detection methods based on stolen credentials may not alert security systems. Users and IT administrators are advised to be vigilant about suspicious emails requesting device code entry, and to implement additional measures such as conditional access policies that restrict the use of device codes.

What Should Readers Know?

• Do not enter device codes received via email unless explicitly requested and the source is verified. Legitimate device codes are only generated when the user initiates the process on an official site.
• Review and revoke OAuth tokens in Microsoft 365 security settings periodically. Administrators can use tools like Azure AD to audit and revoke suspicious tokens.
• Train employees to identify phishing attempts and report them. Regular phishing simulations can help reinforce awareness.
• Implement conditional access policies that restrict the use of device codes, for example, blocking this flow for unapproved apps or requiring specific geographic locations.
• Enable phishing-resistant multi-factor authentication, such as Windows Hello for Business or FIDO2, which do not rely on device codes.

As NordPass noted, Kali365 is a clear example of how AI is being used to boost cybercrime, making it easier to create increasingly convincing phishing lures.

Historical Context and Comparison

Kali365 is not the first PhaaS service, but it stands out for its focus on OAuth and low cost. Similar services like EvilGinx or Modlishka also attack MFA via reverse proxies that capture session tokens, but Kali365 integrates AI to automate content generation and victim tracking, making it more accessible and dangerous. Moreover, unlike attacks requiring their own infrastructure, Kali365 offers a turnkey platform. Compared to the 2022 session token attack against Okta, where a compromised support provider was used, Kali365 democratizes access to advanced techniques. Microsoft has been notified and is working on mitigations, such as detecting anomalous device code flows, but in the meantime, users must exercise extreme caution. The FBI also recommends reporting any suspicious activity to the Internet Crime Complaint Center (IC3).