FBI warns of Kali365 phishing-as-a-service after April Microsoft 365 attacks

Cybercriminals are using Kali365, a Telegram-distributed Phishing-as-a-Service, to capture OAuth access and refresh tokens and gain persistent access to Microsoft 365 accounts—bypassing MFA and enabling mailbox takeover, lateral phishing, and administrative actions. The FBI and multiple security firms reported hundreds of attacks since April 2026; Kali365 provides turnkey phishing lures, templates, tracking dashboards, token storage and resale, illustrating the professionalization and commoditization of these attacks.