FBI Warns 'Kali365' Phishing Kit Hijacks Microsoft 365 OAuth Tokens

Kali365 is a newly observed phishing-as-a-service (PhaaS) platform, first detected in April 2026 and distributed primarily via Telegram, that supplies AI-generated phishing lures, automated campaign templates, and dashboards for targeted tracking. Attackers use device-code phishing to capture Microsoft 365 OAuth access and refresh tokens—bypassing MFA and achieving persistent access to services such as Outlook, Teams, and OneDrive; the FBI advisory describes the attack chain and recommends restricting device code flow and implementing conditional access policies as mitigations.