Microsoft 365 users targeted by new phishing threat that bypasses MFA

The FBI warns of Kali365, a Telegram-distributed Phishing-as-a-Service first observed in April 2026 that enables attackers to perform device code phishing against Microsoft 365, capturing OAuth access and refresh tokens to bypass MFA and maintain access to Outlook, Teams, OneDrive and other services; the report also notes a related service, EvilTokens, and provides defensive guidance.