Liputan6.com, Jakarta - The Federal Bureau of Investigation or FBI has issued an urgent warning on May 21, 2026, regarding a new phishing scheme.
This alert focuses on a Phishing-as-a-Service (PhaaS) platform called Kali365, which specifically targets Microsoft 365 users.
Advertisement
This threat allows cybercriminals to obtain access tokens and bypass multi-factor authentication (MFA) protocols without needing to directly steal user credentials.
Kali365, which was first detected in April 2026, is widely distributed via Telegram.
The platform is designed to make it easier for attackers who lack technical expertise to launch complex phishing attacks.
With the ability to generate AI-based phishing lures, automated campaign templates, real-time tracking dashboards, as well as OAuth token capture features, Kali365 is a dangerous tool.
The FBI released a #PSA warning the public about Kali365—an emerging Phishing-as-a-Service (PhaaS) platform. Kali365, first seen in April 2026, enables cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without… pic.twitter.com/n2iQazJKYH
— FBI Los Angeles (@FBILosAngeles) May 26, 2026
Kali365 Attack Modus Operandi: Smartly Bypass MFA
The Kali365 attack leverages a method known as device code phishing, a technique that abuses Microsoft's legitimate OAuth 2.0 device authorization flow.
This process begins with the sending of phishing emails designed to impersonate a trusted cloud productivity or document sharing service.
The email contains the device code and instructions for visiting the original Microsoft verification page and entering the code.
The targeted individual or entity will then go to a legitimate Microsoft page and paste the device code.
Without realizing it, this action indirectly authorizes the attacker's device to access their account.
Once authorization occurs, the attacker successfully steals the access token and refreshes OAuth.
This token gives them full access to the victim's Microsoft 365 account.
Successful token theft allows attackers to access Microsoft 365 services such as Outlook, Teams, and OneDrive without requiring passwords or completing additional MFA challenges.
Impact and Fatal Risk Due to Kali365 Phishing Attacks
Once attackers gain access, they can take control of various Microsoft 365 services, including Outlook, Teams, and OneDrive.
This access is not limited to Microsoft services alone, but can also extend to other SaaS cloud services connected to the victim's Microsoft 365 account.
This broad access can lead to a variety of malicious activities, such as theft of sensitive data, financial fraud, extortion, and even crippling ransomware attacks.
Kali365 itself is offered as a subscription service, costing around $250 per month or $2,000 per year.
Payments are made in non-KYC cryptocurrencies, which makes it even more difficult to track cybercriminals.
FBI Recommendations for Personal Protection
To protect against Kali365 phishing attacks, the FBI and Microsoft recommend several important mitigation steps.
Organizations are advised to implement Conditional Access Policies to limit or block device code authentication.
This policy can prevent attackers from obtaining the tokens needed to bypass passwords and MFA.
Users should also always verify the sender of the email and ensure there are no typos in the email address.
Avoid clicking on unknown links or attachments in suspicious emails; it is better to directly visit the official website.
Report spam and scam emails to the Federal Trade Commission (FTC) or forward them to phishing-report@us-cert.gov.
Many email providers also provide a "report phishing" button that can be used.
Be alert for red flags in emails, such as unexpected invoices, urgent messages, or claims of "You won a prize!".Also limit who can use your account and where they log in from.
If you are a victim, report the incident to the Internet Crime Complaint Center (IC3) at www.ic3.gov.