FBI warns of Kali phishing scam affecting Microsoft OAuth tokens; warns: "Kali365 lowers the barrier to entry and gives less technical attackers access to AI-generated phishing lures"

FBI flags Kali365, a phishing kit sold on Telegram that steals Microsoft 365 OAuth tokens and bypasses MFA
Victims are tricked into entering device codes on legitimate Microsoft pages, unknowingly granting the attacker access to Outlook, Teams, and OneDrive.
Mitigation steps include restricting device code flow, enforcing conditional access policies, auditing usage, and blocking authentication pass-through policies.

The FBI has warned of a new phishing kit that “lowers the barrier to entry” and allows even low-skilled malicious actors an easy way to compromise people’s Microsoft 365 accounts.

In a public service announcement (PSA), Microsoft said that a new phishing kit, called Kali365, began circulating on Telegram in April 2026. It is advertised as an easy way to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) without intercepting user credentials.

“Through subscription to the Kali365 platform, cyber threat actors can capture “OAuth” tokens and gain persistent access to the Microsoft 365 environments of specific individuals/entities,” the FBI warned.

Capturing tokens

The kit allows threat actors to send phishing emails that spoof trusted cloud productivity and document sharing services. These emails also contain a device code with instructions to visit a legitimate Microsoft verification page and enter it. Victims who do as they are told and paste the device code are actually authorizing the attacker’s device to access their account, the FBI explained.

They can then capture OAuth access and refresh tokens, gaining continued access to Microsoft 365 accounts and all the services within, such as Outlook, Teams, and OneDrive.

To mitigate risk, users are advised to restrict device code flow, create a conditional access policy, audit existing code flow usage, and block authentication pass-through policies. Users who cannot fully restrict use of the device’s code stream are recommended to exclude emergency access accounts to avoid lockouts.

Phishing kits are platforms offered for a fee on the dark web, through which malicious actors can create entire phishing workflows. They include everything from templated emails that spoof major brands to fully functional landing pages for capturing login credentials and MFA codes. Depending on the features used, they can be used for as little as $10 a month, up to $1,000 and more.