FBI warns about PhaaS platform used to access Microsoft 365 environments
FBI warns about PhaaS platform used to access Microsoft 365 environments
https://www.cybersecuritydive.com/news/fbi-warns-phishing-platform-microsoft-365/821105/
Publish Date: 2026-05-26 11:37:00
Source Domain: www.cybersecuritydive.com
The FBI is warning about a phishing-as-a-service platform, called Kali365, that allows hackers to access Microsoft 365 tokens and bypass multifactor authentication without a user’s credentials.
The Kali365 platform subscription lets hackers access OAuth tokens and gain persistent access to the M365 environments of targeted organizations or individuals, according to an FBI advisory released Thursday.
The platform subscription serves as an entry point for less sophisticated attackers. The platform offers access to AI-generated phishing lures, dashboards to track targeted victims, automated templates and other benefits.
The attacks use phishing emails that impersonate trusted cloud productivity and document sharing services, the FBI said. The emails include a device code that tells the user to visit a legitimate Microsoft verification page, on which the user pastes in the code.
The hacker then can gain OAuth access and refresh tokens. This provides access to the Microsoft 365 account and various services, including Teams, Outlook and OneDrive.
Arctic Wolf researchers said the Kali365 infrastructure lowers the barrier to entry for potential attackers.
“Because it leverages legitimate Microsoft infrastructure, the activity can appear normal to the victim, which makes it harder to detect,” said Steven Campbell, staff threat intelligence researcher at cybersecurity firm Arctic Wolf. “In practical terms, this means an attacker doesn’t need to build sophisticated tooling themselves. They can stand up a campaign quickly and at scale.”
The FBI warning comes about a month after a report by Arctic Wolf on an operation that used the Kali365 platform. Researchers said they have been tracking a widespread device code phishing campaign since early April.
The campaign originated mainly from a single IP address, operated in North America and Europe, the Middle East and Africa. The campaign’s…
