FBI Warns of Kali365 Phishing-as-a-Service Platform After April Microsoft 365 Attacks

The FBI and multiple security firms warned of Kali365, a Telegram-distributed phishing-as-a-service first seen in April that exploits Microsoft’s OAuth device code flow to capture access and refresh tokens for persistent Microsoft 365 account access; the platform offers branded, multi-language phishing lures, tiered pricing, and a desktop client, has been linked to hundreds of attacks enabling mailbox takeover, lateral phishing, and business-email-compromise, and defenders are advised to apply conditional access for managed devices, monitor device authorization events and inbox rules, and train staff on device-code phishing.