FBI Warns of Kali 365 Phishing-as-a-Service Platform Targeting Microsoft 365 Users

The FBI has issued a public service announcement warning about a sophisticated phishing campaign targeting Microsoft 365 services, including Outlook, Teams, and OneDrive. The attack leverages a Phishing-as-a-Service (PHaaS) platform called Kali 365, which enables cyber threat actors to bypass multi-factor authentication and gain persistent access to victim accounts without obtaining user passwords.

The attack mechanism works by sending phishing emails that impersonate trusted Microsoft services. These emails contain a device authentication code and instructions to visit a legitimate Microsoft verification page. When targeted users paste the device code into the authentic Microsoft page, they inadvertently authorize the attacker's device to access their account. The attacker then captures OAuth access and refresh tokens, which grant full access to the victim's Microsoft 365 environment without triggering additional MFA challenges.

Kali 365 is primarily distributed via Telegram and significantly lowers the barrier to entry for attackers. The platform provides less-technical actors with AI-generated phishing lure templates, automated campaign tools, real-time tracking dashboards for targeted individuals and entities, and OAuth token capture capabilities. This democratization of sophisticated phishing attacks poses a widespread threat to organizations and individuals relying on Microsoft 365 services.

The FBI recommends several protective measures to defend against these attacks. Organizations should create conditional access policies to block device code flow for all users, except where required for legitimate business processes, and should audit existing device code usage to identify dependencies before implementing restrictions. Additionally, blocking authentication transfer policies can prevent users from transferring authentication from computers to mobile devices, and emergency access accounts should be excluded from restrictions to prevent lockouts.

Anyone affected by Kali 365 phishing attacks should file a complaint with the Internet Crime Complaint Center (IC3) at www.ic3.gov, providing available evidence such as phishing email headers and body content, suspicious login details including time and IP address, and information about any unauthorized devices or active sessions added to their accounts.