Kali365 phishing kit bypasses MFA and steals Microsoft logins

Malwarebytes summarizes an FBI public advisory about "Kali365," a phishing-as-a-service that tricks victims into entering device codes on real Microsoft sign-in pages to grant OAuth access and refresh tokens to attackers; this bypasses MFA and enables persistent access to Outlook, OneDrive, Teams, and other Microsoft 365 services. The report describes the scam flow, potential impacts (reading emails, accessing files, sending phishing from compromised accounts), and user protections such as never entering unsolicited codes, reviewing signed-in devices, and revoking unfamiliar sessions.