The Federal Bureau of Investigation (FBI) has released a critical warning concerning a new phishing-as-a-service platform named Kali365. This emerging threat specifically targets Microsoft 365 users by stealing access tokens and circumventing multi-factor authentication (MFA) mechanisms.
Kali365’s Distribution and Capabilities
Primarily disseminated via Telegram channels, Kali365 allows cybercriminals to subscribe and launch phishing attacks with little technical expertise required. Unlike traditional credential-stealing methods, Kali365 is designed to capture OAuth tokens, which grants attackers ongoing access to Microsoft 365 accounts without needing usernames, passwords, or MFA codes.
The platform is equipped with several user-friendly features, such as AI-generated phishing email templates that mimic trusted services, tools for automated campaign deployment, real-time dashboards for tracking victims, and mechanisms for capturing OAuth tokens. These features enable even less experienced attackers to conduct large-scale, sophisticated phishing operations.
How Kali365 Exploits Microsoft 365
Kali365 cleverly utilizes Microsoft’s device code authentication process to deceive users into granting malicious access. Victims are lured by phishing emails that seem to originate from Microsoft or document-sharing platforms. These emails provide a device code with instructions for verification.
When users enter the code on a legitimate Microsoft verification page, they inadvertently authorize the attacker’s session, allowing the capture of both OAuth access and refresh tokens. This method grants attackers access to services like Outlook, Teams, and OneDrive, bypassing MFA and remaining undetected.
FBI and CISA’s Mitigation Strategies
The FBI, in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), advises several preventive measures to minimize exposure to Kali365. These include disabling device code flow authentication when possible, implementing conditional access policies to block unauthorized device code use, and auditing existing dependencies on device code flows before imposing restrictions.
Organizations are also advised to monitor for atypical sign-ins and token usage patterns. In the event of a Kali365-related attack, victims should report incidents to the FBI’s Internet Crime Complaint Center (IC3) with detailed information such as phishing email samples, suspicious login details, and unauthorized device activity.
As phishing tactics evolve, the rise of platforms like Kali365 underscores the shift towards token-based attacks that bypass traditional security measures, emphasizing the need for enhanced identity and access management.
