FBI Warns of Kali365 Phishing Service Bypassing MFA on Microsoft 365 Accounts
What Happened — The FBI has issued an advisory on a new phishing‑as‑a‑service kit called Kali365 that enables threat actors to sidestep multi‑factor authentication (MFA) and hijack Microsoft 365 accounts without needing the user’s password. The service is marketed as a turnkey solution for credential‑stealing campaigns targeting enterprise SaaS environments.
Why It Matters for TPRM —
- MFA‑bypass tools dramatically increase the likelihood of credential compromise across third‑party cloud services.
- Organizations that rely on Microsoft 365 for email, collaboration, and identity management may face data exfiltration or business‑email‑compromise (BEC) attacks.
- The service is sold publicly, meaning any adversary with modest resources can launch attacks against your vendors or partners.
Who Is Affected — Cloud‑based SaaS providers (especially Microsoft 365), their enterprise customers, and any downstream vendors that depend on Microsoft 365 for authentication or data sharing.
Recommended Actions —
- Review all third‑party contracts that involve Microsoft 365 or other Office 365 services.
- Enforce conditional access policies that require hardware‑based MFA and block legacy authentication.
- Conduct phishing‑simulation training and implement real‑time MFA‑challenge monitoring.
Technical Notes — Kali365 leverages sophisticated social‑engineering templates combined with credential‑harvesting pages that mimic Microsoft login portals. It exploits MFA fatigue and token‑relay techniques to obtain valid session tokens, allowing attackers to access accounts without the password. No specific CVE is cited; the threat is operational rather than a software vulnerability. Source: HackRead