Kali365 phishing kit bypasses MFA and steals Microsoft logins

[Kali365 phishing kit bypasses MFA and steals Microsoft logins]

Search for:

Have a current computer infection?

Worried it’s a scam?

Try our antivirus with a free, full-featured 14-day trial

Get your free digital security toolkit

Find the right cyberprotection for you

Search for:

When the Federal Bureau of Investigation (FBI) publishes a dedicated public service announcement about a new phishing kit, it’s worth paying attention to.

The agency is now warning about “Kali365,” a phishing‑as‑a‑service (PhaaS) platform that helps even low‑skilled attackers hijack Microsoft 365 accounts by stealing access tokens instead of passwords.

Although early reporting focuses on attacks against organizations, the underlying technique works just as easily against individual Microsoft 365 users who are tricked into entering a short code on a real Microsoft website. In other words, this is not just a business or IT department problem. It could affect anyone with an Outlook, OneDrive, or Microsoft 365 subscription.

For cybercriminals using the kit, it offers three clear advantages:

• It bypasses multi‑factor authentication (MFA) by stealing access tokens, so extra codes or apps no longer help once the token is compromised.
• Kali365 provides ongoing access. The attackers can keep using Outlook, Teams, and OneDrive without repeatedly logging in, as long as the stolen refresh token remains valid.
• Little technical skill needed. Cybercriminals can subscribe to Kali365 and immediately run token‑stealing campaigns at scale.

What does the attack look like?

Victims receive a phishing message that looks like it comes from a cloud service or collaboration tool, such as a document‑sharing notification or Teams invite. The message includes a short “device code” and instructions like: “Go to Microsoft’s verification page and enter this code to view the document.”

Scam or legit? Scam Guard knows.

Unlike many phishing emails, this one sends you to a real Microsoft URL used for device sign‑in flows. To the user, the page looks familiar and completely legitimate, which lowers suspicion.

Victims then see the standard Microsoft sign‑in and consent screens and may think they are simply completing a normal security check. They never see a fake page, never type their password into a suspicious form, and may even see their organization’s branding.

But what they don’t realize is that they have handed access to the attacker.

Once the victim approves the request, the attacker’s device receives OAuth access and refresh tokens tied to the victim’s Microsoft 365 account. These tokens are what Microsoft uses to “remember” that you have already logged in, and they can be reused to access Outlook, OneDrive, Teams, and other Microsoft services without entering a password again.

With valid refresh tokens, attackers can maintain long‑term access until the tokens are revoked or expire, often blending in with normal account activity.

That access can allow cybercriminals to:

• Read Outlook emails, including password reset messages
• Access files stored in OneDrive or SharePoint
• Send phishing emails to coworkers, customers, friends, or family from the victim’s account

How to protect yourself

Once in Outlook, attackers can not only read your messages but also send convincing new ones from your address, using your identity to compromise additional accounts and contacts.

Some tips to steer clear of this one:

• Never enter a code at a Microsoft login page just because an email or message tells you to. You should only do this when you initiated the sign‑in yourself on your own device.
• Slow down and read the prompts. Rushing through login approvals without reading them carefully can be costly.
• Be suspicious of unexpected document shares, Teams invites, or login requests, even if they use legitimate Microsoft pages.
• Review which devices are logged in under your account at https://account.microsoft.com/devices/. If you see unfamiliar devices or sign‑ins, remove them, change your Microsoft account password, and review your security settings.

****Let’s face it, an incognito window can only do so much.****Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protectionmonitors for all of it, alerts you fast, and comes with identity theft insurance.

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences, or your device, and is mostly used to make the site work as you expect. The information does not usually identify you directly, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to learn more and change our default settings. Blocking some types of cookies may impact your experience of the site and the services we are able to offer.