FBI warns Kali365 phishing kit is stealing Microsoft OAuth tokens at scale

Summary

Cyber-Crime FBI warns Kali365 phishing kit is stealing Microsoft OAuth tokens at scale MFA? No problem, says crimeware that tricks users into handing attackers the keys to M365 The FBI has issued a public service announcement warning about a new phishing kit that's stealing Microsoft OAuth tokens at an alarming rate. OAuth token theft is a serious headache for organizations because stolen tokens can bypass multi-factor authentication (MFA) and grant access to privileged accounts within an organization without needing to know their credentials. Think corporate espionage, data theft, maybe even ransomware. The main culprit is Kali365, described as a phishing-as-a-service platform that's being peddled on Telegram, first spotted by crimefighters in April 2026. "Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities," the FBI said in its announcement.Phishing kits aren't new. Different flavors are always in development, but the good ones can be especially problematic for organizations.Kali365 lets attackers send convincing phishing emails that impersonate "trusted cloud productivity and document-sharing services," - Adobe Acrobat Sign, DocuSign, and SharePoint - according to security shop Arctic Wolf.That email contains a device code and instructions for the target to enter the code into a legitimate Microsoft page, a hyperlink for which is included in the email.Entering that code registers the attacker's device to the unwitting target's M365 account, effectively surrendering access to emails, Teams, and all the rest of it. No MFA required.Arctic Wolf published a deep dive on Kali365 back in April, noting that it also offers adversary-in-the-middle (AitM) capabilities that are distinct from the device code phishing described by the FBI.The second attack Kali365 enables leads to the same outcom...