FBI warns of Kali phishing scam hitting Microsoft OAuth tokens — warns 'Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures'

In a Public Service Announcement (PSA), Microsoft said that a new phishing kit, called Kali365, started making rounds on Telegram in April 2026. It is advertised as a simple way to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) without intercepting the user’s credentials.

“Through the Kali365 platform subscription, cyber threat actors can capture "OAuth" tokens and gain persistent access to targeted individuals/entities' Microsoft 365 environments,” the FBI warned.

Capturing tokens

The kit allows threat actors to send phishing emails that spoof trusted cloud productivity and document-sharing services. These emails also contain a device code with instructions to visit a legitimate Microsoft verification page and enter it. Victims that do as they’re told and paste in the device code are actually authorizing the attacker’s device to access their account, the FBI explained.

They can then capture OAuth access and refresh tokens, gaining unabated access to Microsoft 365 accounts and all the services found inside, such as Outlook, Teams, and OneDrive.

To mitigate the risk, users are advised to restrict device code flow, create a conditional access policy, audit existing code flow usage, and block authentication transfer policies. Users that cannot completely restrict device code flow usage are advised to exclude emergency access accounts to prevent lockouts.

Phishing kits are platforms offered for a fee on the dark web, through which malicious actors can create entire phishing workflows. They include everything from templated email messages that spoof major brands, to fully-functional landing pages for capturing login credentials and MFA codes. Depending on the features used, they can be used for as little as $10 a month, going up to $1,000 and more.