Microsoft 365 phishing attacks have entered a dangerous new phase. The FBI recently warned that a subscription-based phishing-as-a-service platform called Kali365 is systematically targeting Microsoft 365 users by stealing OAuth tokens and bypassing multifactor authentication entirely—without needing to steal passwords.
Key Takeaways
- Kali365 is a phishing-as-a-service platform that targets Microsoft 365 accounts and bypasses MFA using legitimate Microsoft login flows.
- Attackers obtain OAuth access and refresh tokens, then access Teams, Outlook, and OneDrive without requiring the victim’s password.
- The platform offers AI-generated phishing lures, victim tracking dashboards, and automated templates to lower the barrier for attackers.
- The attack mechanism uses a device code that directs users to a real Microsoft verification page, making it harder to detect as fraudulent.
- Microsoft 365 phishing attacks are now more accessible to less sophisticated threat actors due to the subscription model and legitimate infrastructure abuse.
How Kali365 bypasses Microsoft 365 security
The attack method is deceptively simple yet effective. Kali365 generates phishing emails impersonating trusted cloud productivity and document-sharing services, then directs victims to enter a device code on what appears to be a legitimate Microsoft verification page. The user sees a real Microsoft interface—because it is one. Once the victim enters the code, Kali365 captures the OAuth access and refresh tokens, giving attackers full access to Microsoft 365 services including Teams, Outlook, and OneDrive.
What makes this approach so dangerous is that it bypasses multifactor authentication entirely. Traditional phishing campaigns require stealing passwords, which MFA can prevent. Kali365 sidesteps that problem by exploiting the legitimate OAuth token flow. Steven Campbell of Arctic Wolf explained the threat: “Because it leverages legitimate Microsoft infrastructure, the activity can appear normal to the victim, which makes it harder to detect.” The attacker never needs the victim’s actual password—the tokens are enough.
The platform also dramatically lowers the technical bar for attackers. Rather than building custom phishing infrastructure, threat actors can subscribe to Kali365 and immediately deploy campaigns at scale. The service provides AI-generated phishing lures, dashboards to track victims, and automated templates. Campbell added, “In practical terms, this means an attacker doesn’t need to build sophisticated tooling themselves. They can stand up a campaign quickly and at scale.”
Why Microsoft 365 phishing attacks are accelerating
Kali365 represents a shift in how phishing-as-a-service platforms operate. By using legitimate Microsoft infrastructure rather than spoofed login pages, the attack becomes nearly invisible to both users and security tools. A user receiving an email about verifying their account and being directed to a real Microsoft login page has no obvious reason to be suspicious. The infrastructure itself is trustworthy—the attack lies in how it is weaponized.
This is fundamentally different from older phishing campaigns that relied on fake login pages or credential harvesting. Those attacks often contained visual red flags: slightly wrong URLs, poor formatting, or domain mismatches. Kali365 eliminates those tells by routing users through legitimate Microsoft verification flows. The attacker is not impersonating Microsoft; the attacker is hijacking the normal authentication process.
What you can do to protect Microsoft 365 accounts
The FBI warning emphasizes that security teams must implement protective measures immediately. While the research brief does not detail the specific three steps mentioned in the original article, the core defenses align with standard OAuth and email security practices.
First, be extremely cautious with unexpected device code verification requests. If you receive an email asking you to verify your account or device, verify the sender independently before entering any code. Do not click links in the email—instead, go directly to Microsoft.com and log in to check for any pending verification requests. Legitimate Microsoft requests should never arrive as unsolicited emails directing you to enter a code.
Second, enable and monitor conditional access policies in Microsoft 365. These policies can flag suspicious login attempts based on location, device, or network characteristics. If an attacker obtains your tokens but tries to access your account from an unusual location or device, conditional access can block the request even if the token is valid.
Third, review your OAuth application permissions and connected apps regularly. Attackers who obtain tokens can access any service your account has authorized. Go to your Microsoft account security settings and audit connected applications. Remove any apps or integrations you do not recognize or no longer use. This limits the damage if tokens are compromised.
The broader threat landscape
Microsoft 365 phishing attacks via Kali365 reflect a troubling trend: cybercrime is becoming more accessible and automated. Phishing-as-a-service platforms lower the barrier to entry for attackers who lack advanced technical skills. Instead of writing custom code or building infrastructure, attackers simply subscribe and deploy campaigns. This democratization of attacks means more threat actors can operate at scale, increasing the total volume of phishing emails targeting organizations.
Microsoft has acknowledged the threat and recommended that security teams follow FBI guidance. A Microsoft spokesperson stated that security teams should implement the protective measures provided by the FBI and follow best-practice advice for defense against phishing scams. However, the responsibility ultimately falls on users and organizations to recognize suspicious requests and implement strong security controls.
Can multifactor authentication protect me from Kali365?
Standard MFA does not protect against Kali365 because the attack does not target your password. Instead, it targets the OAuth token exchange, which happens after authentication. Once a user enters their credentials and passes MFA, they are directed to the device code verification page—a legitimate Microsoft step. By that point, MFA has already been satisfied. Conditional access policies and behavioral monitoring are more effective defenses than MFA alone.
What should I do if I think I have been targeted by a Kali365 phishing email?
If you receive a suspicious email requesting device code verification, do not enter any code. Report the email to your organization’s security team immediately. If you have already entered a code, change your Microsoft 365 password, review your connected apps and OAuth permissions, and alert your IT department so they can monitor your account for unauthorized access.
How does Kali365 compare to traditional phishing attacks?
Traditional phishing campaigns rely on fake login pages or credential harvesting to steal passwords. Kali365 is fundamentally different—it uses legitimate Microsoft infrastructure and targets the OAuth token flow instead of passwords. This makes Kali365 attacks much harder to detect because there is no fake domain, no credential harvesting page, and no obvious technical red flags. The attacker is not impersonating Microsoft; the attacker is manipulating a real Microsoft authentication process. This architectural difference is why Kali365 represents a significant escalation in phishing sophistication.
The threat of Microsoft 365 phishing attacks via Kali365 is real and immediate. Organizations cannot rely on traditional phishing awareness training or MFA alone to stop this attack. Instead, implement OAuth monitoring, conditional access policies, and regular audits of connected applications. The goal is not to prevent all phishing emails—that is impossible—but to ensure that even if a user falls for the attack, the damage is contained. Stay vigilant, verify requests independently, and keep your security posture updated as threats evolve.
Edited by the All Things Geek team.
Source: TechRadar
