HomeIntelligenceBrief
BREACH BRIEF🟠 High Advisory

Kali365 Phishing‑as‑a‑Service Enables Mass Microsoft 365 OAuth Token Theft

The FBI warns that Kali365, a Telegram‑based Phishing‑as‑a‑Service, is allowing attackers to capture OAuth tokens and bypass MFA for Microsoft 365 accounts. The service’s low barrier to entry expands the threat landscape for any organization relying on Microsoft’s cloud productivity suite.

LiveThreat™ Intelligence · 📅 May 23, 2026· 📰 therecord.media
🟠
Severity
High
AD
Type
Advisory
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
therecord.media

Phishing‑as‑a‑Service Kali365 Enables Mass Microsoft 365 Account Compromise

What Happened – The FBI issued an advisory warning that a new Telegram‑based Phishing‑as‑a‑Service (PhaaS) platform, Kali365, is being used to harvest OAuth access and refresh tokens for Microsoft 365 accounts. The service supplies AI‑generated lures, campaign templates and real‑time dashboards, allowing low‑skill actors to bypass MFA and gain persistent mailbox access.

Why It Matters for TPRM

  • Token‑based compromise sidesteps traditional password‑based controls, rendering MFA ineffective.
  • Attackers can silently monitor, exfiltrate, and manipulate communications across Outlook, Teams and OneDrive, increasing data‑loss risk for any third‑party that relies on Microsoft 365.
  • The service’s low cost and turnkey nature expand the pool of potential threat actors, raising the baseline threat level for all cloud‑service vendors.

Who Is Affected – Enterprises across all sectors that use Microsoft 365 (cloud productivity SaaS), including finance, healthcare, retail, and government agencies.

Recommended Actions

  • Verify that all Microsoft 365 tenants enforce Conditional Access policies that block token‑grant flows from untrusted devices.
  • Deploy token‑monitoring solutions (e.g., Azure AD sign‑in risk, mailbox audit logs) to detect anomalous OAuth grants.
  • Conduct a vendor risk review of any third‑party integrations that request OAuth permissions and enforce least‑privilege scopes.

Technical Notes – Kali365 distributes phishing campaigns via Telegram, tricks users into authorizing a malicious device on Microsoft’s legitimate login page, and captures OAuth access + refresh tokens. No CVE is involved; the attack vector is phishing with token hijacking. Source: The Record

📰 Original Source
https://therecord.media/fbi-warns-of-kali365-phishing-attacks

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →