The FBI has issued a public warning about “Kali365,” a sophisticated new phishing-as-a-service platform that enables cybercriminals to bypass multifactor authentication and maintain long-term access to Microsoft 365 accounts.

According to the bureau’s announcement on Wednesday, the service first emerged in April and is primarily distributed through Telegram channels. Unlike traditional phishing attacks that steal passwords, Kali365 exploits Microsoft’s device code authentication process to capture OAuth access tokens. This allows attackers to access Outlook, Teams, OneDrive, and other connected services without triggering additional MFA prompts.

The operation works by sending victims seemingly legitimate emails from cloud or document-sharing platforms. Recipients are directed to a genuine Microsoft verification page where they enter a device code provided by the attacker, unknowingly granting the criminal persistent access to their account.

The FBI noted that Kali365 lowers the technical barrier for less-experienced cybercriminals by offering AI-generated phishing emails, automated campaign templates, and real-time victim tracking dashboards. Cybersecurity experts have grown increasingly concerned about these “adversary-in-the-middle” and token-theft attacks, which can remain effective even after victims reset their passwords.

The bureau urged organizations to restrict or disable device code authentication where possible, regularly audit device logins, and block authentication transfers between devices. It also recommended maintaining emergency access accounts to prevent lockouts during security tightenings.

Victims are encouraged to report incidents to the FBI’s Internet Crime Complaint Center at IC3.gov and preserve evidence, including phishing emails and suspicious login activity. The warning highlights the growing threat of advanced phishing tools targeting widely used business platforms.