• Home
• Technology

The U.S. Federal Bureau of Investigation (FBI) has issued a warning about a new wave of cyberattacks targeting Microsoft 365 users through a phishing-as-a-service platform known as Kali365, which enables attackers to gain access to user accounts without stealing passwords.

According to the FBI, Kali365 provides cybercriminals with a complete toolkit for launching phishing campaigns, including AI-generated phishing emails, ready-made templates, campaign management dashboards, and tools designed to steal OAuth authentication tokens that grant access to user accounts.

The platform first emerged in April 2026 and rapidly gained traction through Telegram, where it has been adopted by attackers targeting users of Outlook, Teams, OneDrive, and other Microsoft 365 services.

The attack typically begins with a phishing message that appears to come from a trusted source and prompts the victim to enter a verification code on what looks like an official Microsoft sign-in page. Once the code is submitted, attackers capture OAuth tokens, allowing them to access the victim's account without requiring a password—even when multi-factor authentication (MFA) is enabled.

This technique enables attackers to gain access to emails, files, conversations, and other data stored within Microsoft 365 accounts while making the intrusion more difficult to detect.

The FBI urged users never to enter verification codes received through unsolicited messages and to ignore emails that pressure them into taking immediate action, such as opening documents, listening to voicemail messages, or reviewing invoices. The agency emphasized that verifying the legitimacy of unexpected communications before responding remains one of the most effective defenses against phishing attacks.