FBI Alert: Kali365 PhaaS Campaign Targets Microsoft 365 MFA

The Federal Bureau of Investigation (FBI) has officially released Public Service Announcement Alert I-052126-PSA, sounding the alarm on a sophisticated new Phishing-as-a-Service (PhaaS) ecosystem known as Kali365. Since its initial emergence in April 2026, this platform has specifically targeted Microsoft 365 environments by moving beyond simple credential harvesting and focusing on the more insidious exploitation of OAuth-based authentication flows.

The Kali365 Ecosystem: Democratizing Advanced Phishing

Kali365 operates on a subscription-based model, primarily distributed through encrypted Telegram channels. By lowering the technical barrier to entry, it allows relatively unsophisticated threat actors to execute high-level, scalable attacks that were previously the domain of advanced persistent threat (APT) groups. The platform provides a comprehensive “attack toolkit,” including:

  • AI-Driven Social Engineering: Generative AI templates that produce highly convincing, context-aware phishing lures.
  • Automated Orchestration: End-to-end deployment tools for large-scale campaign management.
  • Real-Time Telemetry: Live dashboards that allow attackers to track victim engagement and success rates instantly.
  • OAuth Token Extraction: Specialized modules designed to intercept and weaponize authentication tokens.

This modular approach enables attackers to maintain a high level of operational tempo while minimizing the “noise” that typically triggers traditional security alerts.

Technical Breakdown: Exploiting the Device Code Flow

What distinguishes Kali365 from legacy phishing is its pivot from stealing passwords to hijacking active sessions. The platform exploits the legitimate Microsoft Device Code Authentication flow—a mechanism intended for devices with limited input capabilities (like smart TVs or IoT hardware)—to bypass Multi-Factor Authentication (MFA).

The attack lifecycle typically follows this sequence:

  1. The Lure: An attacker sends a highly tailored email impersonating a trusted entity (e.g., Microsoft Support or a corporate document sharing service). The email instructs the user to “verify their device” or “complete a login” by visiting a specific URL and entering a provided code.
  2. The Authentication Trigger: The victim, believing they are performing a routine security task, navigates to a legitimate Microsoft login page and enters the attacker’s provided device code.
  3. Token Exfiltration: Because the user has successfully authenticated via MFA on their own device, the Microsoft identity provider issues an OAuth access and refresh token. The Kali365 platform intercepts these tokens during the handshake.
  4. Persistent Session Hijacking: Armed with these tokens, the attacker bypasses the need for a password or MFA entirely. They can now access Outlook, Teams, and OneDrive with the same privileges as the victim, often maintaining access even if the user resets their password.

This technique is particularly devastating because it effectively renders traditional MFA a moot point, as the attacker isn’t “breaking in”—they are being “let in” through a legitimate, albeit abused, protocol.

Defensive Strategies and Mitigation Framework

To defend against Kali365 and similar session-hijacking threats, security administrators must move toward a Zero Trust architecture and tighten the configuration of identity providers. The FBI and CISA recommend the following technical controls:

  • Disable Device Code Flows: Where business requirements allow, strictly disable the device code authentication flow via Entra ID (formerly Azure AD) settings.
  • Enforce Conditional Access: Implement granular Conditional Access policies that restrict authentication based on device compliance, geographic location, and known-risk IP ranges.
  • Monitor Token Lifetimes: Review and shorten the lifespan of refresh tokens to limit the window of opportunity for hijacked sessions.
  • Audit Authentication Patterns: Actively monitor for “impossible travel” alerts or unexpected device registrations within your tenant.
  • Implement Session Revocation: Ensure your Incident Response (IR) playbook includes the ability to instantly revoke all active refresh tokens for a compromised user.

If your organization suspects a compromise, please report the incident to the Internet Crime Complaint Center (IC3). When reporting, ensure you provide forensic artifacts such as email headers, suspicious IP addresses, and details of any unauthorized devices added to your environment.

The emergence of Kali365 serves as a critical reminder that as identity becomes the new security perimeter, attackers will increasingly target the protocols that manage that identity.

Related Articles

Back to top button