HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Kali365 Phishing‑as‑a‑Service Kit Bypasses MFA, Hijacks Microsoft 365 Accounts Without Passwords

The FBI has warned that the Kali365 phishing‑as‑a‑service platform can steal OAuth tokens through Microsoft’s device‑code flow, granting attackers full access to Outlook, Teams and OneDrive without a password or MFA prompt. The service is sold on a subscription basis, enabling low‑skill actors to launch widespread attacks against Microsoft 365 users across North America and Europe.

LiveThreat™ Intelligence · 📅 May 27, 2026· 📰 bitdefender.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
bitdefender.com

Phishing‑as‑a‑Service Kit Kali365 Hijacks Microsoft 365 Accounts, Bypassing MFA Without Passwords

What Happened – The FBI issued an advisory on a new phishing‑as‑a‑service platform, Kali365, that steals OAuth tokens via Microsoft’s “device code flow.” By tricking users into authorising a malicious device, attackers obtain full access to Outlook, Teams, OneDrive and other 365 services without ever needing a password or MFA prompt.

Why It Matters for TPRM

  • MFA alone no longer guarantees protection against credential‑theft attacks.
  • The service is sold as a subscription, meaning any low‑skill third‑party could launch large‑scale campaigns.
  • Compromise of a single Microsoft 365 account can cascade to other SaaS applications via token reuse.

Who Is Affected – Enterprises that rely on Microsoft 365 (email, collaboration, file storage) across all sectors, especially those with remote workforces and third‑party integrations.

Recommended Actions

  • Review and tighten OAuth token issuance policies (e.g., enforce conditional access, limit token lifetimes).
  • Deploy user‑education campaigns that highlight the “device code flow” abuse scenario.
  • Implement real‑time token monitoring and anomaly detection for privileged accounts.

Technical Notes – Attack vector: phishing email → legitimate Microsoft verification page → user‑entered device code → attacker receives OAuth access token. No password or MFA challenge is required. The kit includes AI‑generated lures, campaign dashboards, and token‑capture modules. Source: Bitdefender Blog – FBI warns of Kali365 phishing kit

📰 Original Source
https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-kali365-phishing-kit-breaks-microsoft-365-accounts-no-password-required

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →