The FBI has issued a warning about a phishing-as-a-service (PhaaS) platform known as “Kali365” that is being used to compromise Microsoft 365 accounts through sophisticated phishing and adversary-in-the-middle (AiTM) attacks.
According to a public advisory published by the FBI’s Internet Crime Complaint Center (IC3), the service enables cybercriminals to bypass multi-factor authentication (MFA) protections and steal login credentials, session cookies, and authentication tokens from victims.
Kali365 is marketed on underground cybercrime forums and Telegram channels as a subscription-based phishing toolkit designed specifically to target Microsoft 365 users. The platform reportedly provides attackers with ready-made phishing pages, infrastructure hosting, credential collection panels, and automated account compromise capabilities.
The FBI said the phishing campaigns commonly impersonate Microsoft login portals and use fake emails related to voicemail notifications, document sharing requests, or account security alerts to lure victims into entering their credentials.
Once a victim logs in through the phishing page, the toolkit captures authentication tokens in real time, allowing attackers to hijack active Microsoft 365 sessions even when MFA is enabled.
According to the advisory, compromised accounts are often used for business email compromise (BEC) schemes, financial fraud, lateral movement within organizations, and additional phishing attacks against other users.
Microsoft 365 accounts remain a frequent target for cybercriminals because they often provide access to corporate email, cloud storage, internal communications, and connected enterprise services. Security researchers have increasingly warned that AiTM phishing frameworks like Kali365 are lowering the technical barrier for attackers seeking to bypass MFA protections.
The FBI warned that attackers using Kali365 frequently target organizations in the United States across multiple sectors, including education, healthcare, finance, and government.
The agency urged organizations to adopt phishing-resistant MFA methods such as FIDO security keys, monitor for suspicious login activity, restrict legacy authentication protocols, and educate employees about phishing threats. It also recommends reviewing conditional access policies, enabling advanced email filtering protections, and revoking active sessions if account compromise is suspected.
Leave a Reply