Phishing‑as‑a‑Service Kali365 Enables Mass Microsoft 365 Account Compromise
What Happened – The FBI issued an advisory warning that a new Telegram‑based Phishing‑as‑a‑Service (PhaaS) platform, Kali365, is being used to harvest OAuth access and refresh tokens for Microsoft 365 accounts. The service supplies AI‑generated lures, campaign templates and real‑time dashboards, allowing low‑skill actors to bypass MFA and gain persistent mailbox access.
Why It Matters for TPRM –
- Token‑based compromise sidesteps traditional password‑based controls, rendering MFA ineffective.
- Attackers can silently monitor, exfiltrate, and manipulate communications across Outlook, Teams and OneDrive, increasing data‑loss risk for any third‑party that relies on Microsoft 365.
- The service’s low cost and turnkey nature expand the pool of potential threat actors, raising the baseline threat level for all cloud‑service vendors.
Who Is Affected – Enterprises across all sectors that use Microsoft 365 (cloud productivity SaaS), including finance, healthcare, retail, and government agencies.
Recommended Actions –
- Verify that all Microsoft 365 tenants enforce Conditional Access policies that block token‑grant flows from untrusted devices.
- Deploy token‑monitoring solutions (e.g., Azure AD sign‑in risk, mailbox audit logs) to detect anomalous OAuth grants.
- Conduct a vendor risk review of any third‑party integrations that request OAuth permissions and enforce least‑privilege scopes.
Technical Notes – Kali365 distributes phishing campaigns via Telegram, tricks users into authorizing a malicious device on Microsoft’s legitimate login page, and captures OAuth access + refresh tokens. No CVE is involved; the attack vector is phishing with token hijacking. Source: The Record