FBI Warns of Kali Phishing Scam Hitting Microsoft OAuth Tokens – Warns “Kali365 Lowers Barrier of Entry, Giving Less Tech Attackers Access to AI-Generated Phishing Lures”

FBI flags Kali365, a phishing kit sold on Telegram that steals Microsoft 365 OAuth tokens and bypasses MFA
Victims are tricked into entering device codes on legitimate Microsoft sites, unknowingly authorizing the hacker’s access to Outlook, Teams and OneDrive
Remediation steps include restricting device code flow, enforcing conditional access policies, auditing usage, and blocking authentication transfer policies

The FBI has warned of a new phishing kit that “lowers the barrier to entry” and gives even low-skilled malicious actors an easy way to compromise people’s Microsoft 365 accounts.

In a Public Service Announcement (PSA), Microsoft said that a new phishing kit, called Kali365, began making the rounds on Telegram in April 2026. It is advertised as a simple way to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) without intercepting user credentials.

“Through the Kali365 platform subscription, cyber threat actors can capture “OAuth” tokens and gain persistent access to targeted individuals/devices’ Microsoft 365 environments,” the FBI warned.

Capture of tokens

The kit allows threat actors to send phishing emails that spoof trusted cloud productivity and document sharing services. These emails also contain a device code with instructions to visit a legitimate Microsoft verification page and enter it. Victims who do as prompted and enter the device code effectively authorize the attacker’s device to access their account, the FBI explained.

They can then capture OAuth access and refresh tokens and gain full access to Microsoft 365 accounts and all the services that reside within, such as Outlook, Teams, and OneDrive.

To mitigate the risk, users are advised to limit device code flow, create a Conditional Access policy, audit existing code flow usage, and block authentication transfer policies. Users who cannot fully limit the use of device code flow are advised to exclude emergency access accounts to prevent lockouts.

Phishing kits are paid platforms on the dark web through which malicious actors can create entire phishing workflows. They include everything from templated emails that spoof major brands to fully functional landing pages for collecting login credentials and MFA codes. Depending on the features used, they can be used for as little as $10 per month, up to $1,000 and more.