HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

FBI Alerts: Kali365 Phishing Service Hijacks Microsoft 365 Accounts via OAuth Token Theft

The FBI warned that the Kali365 service is selling automated phishing kits that abuse Microsoft 365’s device‑code authentication to steal OAuth tokens and fully compromise user accounts, posing a significant third‑party risk for SaaS customers.

LiveThreat™ Intelligence · 📅 May 27, 2026· 📰 techrepublic.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
techrepublic.com

FBI Alerts: Kali365 Phishing Service Hijacks Microsoft 365 Accounts via OAuth Token Theft

What Happened – The FBI disclosed a new phishing‑as‑a‑service operation named Kali365 that abuses Microsoft 365’s device‑code flow to capture OAuth access tokens and fully hijack user accounts. The service is sold on underground forums, allowing attackers to automate credential theft at scale.

Why It Matters for TPRM

  • Compromise of Microsoft 365 accounts can expose corporate email, files, and collaboration tools, creating downstream supply‑chain risk.
  • Credential‑theft services lower the barrier for threat actors to launch Business Email Compromise (BEC) and data exfiltration campaigns against third‑party vendors.
  • The attack bypasses traditional password‑based defenses, highlighting gaps in token‑lifecycle management and MFA enforcement.

Who Is Affected – Enterprises across all sectors that rely on Microsoft 365 for email, SharePoint, Teams, and other SaaS workloads; especially those with limited token‑revocation policies.

Recommended Actions

  • Enforce Conditional Access policies that block device‑code flow for high‑risk users.
  • Deploy Azure AD Identity Protection and monitor for anomalous token issuance.
  • Require MFA for all privileged accounts and regularly review token lifetimes.
  • Conduct a vendor risk review of any third‑party services that integrate with Microsoft 365 APIs.

Technical Notes – Kali365 leverages the OAuth 2.0 device‑code grant to obtain valid access tokens without user interaction. Attackers then use the tokens to access Exchange Online, OneDrive, Teams, and other services. No specific CVE is cited; the vulnerability lies in the misuse of a legitimate authentication flow. Source: TechRepublic Security

📰 Original Source
https://www.techrepublic.com/article/fbi-warns-kali365-phishing-service-targets-microsoft-365-accounts/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →