FBI Alert: Outlook & OneDrive Hit by Kali365 Token-Stealing Phishing

🔊 Listen to Post

Microsoft 365 Phishing Is No Longer Just a Password Problem. It’s a Cloud Workflow Security Problem

TLDR: The FBI just warned about a phishing-as-a-service platform called Kali365 that steals Microsoft 365 access tokens instead of passwords. That means it can bypass multi-factor authentication without ever touching your login. The scary part is what happens next. Once an attacker holds a valid token, the damage spreads through Outlook, Teams, OneDrive, and every file workflow connected to that account. This article breaks down how the attack works, why it sidesteps the defenses most people trust, and where you can actually harden things once identity is no longer enough.

If you run security for a business that lives inside Microsoft 365, this one matters. The old advice was “use a strong password and turn on MFA.” That advice is still good. It is also no longer enough. Read on and you will see why the conversation has shifted from the login screen to the file layer underneath it.

What Is Kali365, and Why Did the FBI Warn About It?

Kali365 is a new phishing tool sold as a subscription service to criminals. The FBI issued a warning about it through its Internet Crime Complaint Center, flagging it as a phishing-as-a-service platform built to hijack Microsoft 365 accounts at scale. The agency does not put out a dedicated advisory for every scam, so the fact that it did here tells you something.

Here is the short version of why it is dangerous. Kali365 lets a low-skilled attacker run a token-stealing campaign without building any tooling. The subscription comes with dashboards to track victims, automated campaign templates, and access to AI-generated phishing lures. Researchers first saw the activity in April, and the targets have spanned manufacturing, education, healthcare, finance, and government.

The cyber underground has been moving toward this rented-crime model for years. Kits like this are often sold and coordinated through Telegram channels, which is part of why they spread so fast. You do not need to be a hacker anymore. You need a credit card and a subscription.

How Does the Kali365 Attack Actually Work?

The attack uses something called the device code flow. It is a legitimate Microsoft feature meant for signing in on devices that do not have a keyboard, like a smart TV or a conference room display. Kali365 abuses it.

The attacker sends a phishing email that impersonates a trusted cloud productivity or document-sharing service. Think of a fake “you have a shared file” notice or a Teams invite. The email contains a device code with instructions: go to a Microsoft verification page and enter this code to view the document. The page you land on is a real Microsoft page. That is the trick. There is no fake login form to spot, no misspelled URL, no off-brand styling.

When you enter that device code on the legitimate Microsoft verification page, you are not logging yourself in. You are authorizing the attacker’s device. Microsoft then hands the attacker OAuth access and refresh tokens tied to your Microsoft 365 account. Those tokens are how Microsoft remembers you are signed in, and now the attacker holds a copy.

Why Doesn’t Multi-Factor Authentication Stop This?

Multi-factor authentication does not stop it because no password is being stolen. MFA protects the moment you log in. This attack skips that moment entirely.

You completed the sign-in yourself. You passed your own MFA check. The attacker simply rode along on the device authentication you approved. With a valid refresh token in hand, they can access Microsoft 365 services without entering a password again and without triggering another MFA prompt. They can bypass multi-factor authentication without ever cracking it.

This is the uncomfortable shift. For a long time, we treated MFA as the finish line. Token theft moves the finish line past it. The attacker can hold that access for as long as the token stays valid, often blending right in with normal account activity.

What Happens After an Attacker Gets In?

This is the part that gets underreported, and it is the whole reason this is a cloud workflow problem. The compromise starts at identity. The actual business damage spreads everywhere else.

Once an attacker can access Microsoft 365, they can read your Outlook mail, including password reset messages for other accounts. They can open files in OneDrive without needing a password again. They can sit inside Teams conversations. They can reach into SharePoint, grab shared links, and quietly forward sensitive documents. The login was just the front door. The files, the chats, and the shared workflows are the rooms with everything valuable in them.

Then it gets worse, because they can send. A phishing email from your real address, to your real coworkers and customers, lands with full trust. That is how one compromised account turns into ten. The attack does not stay contained to the person who clicked.

Why Is This a Cloud Workflow Problem and Not Just a Login Problem?

Because identity is only the entry point, and the data is the prize. When you map out where a single stolen token can travel, the answer is “the entire cloud workspace.” Email, file storage, collaboration, document sharing, and any automated process that account touches.

Most security budgets still pour heavily into the login layer. Strong passwords, MFA, single sign-on. All good. But if an attacker can gain access without breaking any of that, then the question becomes simpler and harder at the same time. What can they actually reach, and what protects your data once they are inside the workflow?

That reframing is the point of this whole piece. Login security and data security are two different jobs. You need both, and the second one is the part most organizations have under-built.

How Does Phishing-as-a-Service Make This Worse?

Phishing-as-a-service turns a skilled, slow attack into a cheap, fast, repeatable one. That is the real story behind the cybercriminal ecosystems behind phishing-as-a-service and account takeover activity.

With Kali365, the heavy lifting is done for the buyer. The automated campaign templates mean a new operation can launch in minutes. The AI-generated phishing lures mean the bait reads cleanly, with fewer of the typos that used to give scams away. The victim-tracking dashboards mean attackers can run thousands of attempts and just watch for the ones that land. Volume goes up. Skill requirements go down.

Security vendors have been sounding the alarm on this trend for a while. Firms like Trend Micro have documented the rise of OAuth token theft and device code phishing, and the broader industry, including content and platform security companies like Irdeto, has been pushing the same message for years: protect the data and the session, not just the front door. Kali365 is what that warning looks like in practice.

What Are CISA and Microsoft Recommending?

CISA and Microsoft both point toward identity hardening that goes beyond a basic MFA toggle. The headline recommendation is to use conditional access policies.

Conditional access lets you set rules about who can sign in, from where, and on what kind of device. You can block sign-ins from unmanaged devices, flag logins from unexpected countries, and shorten how long a token stays valid before it has to be re-verified. These conditional access policies will not make device code phishing impossible, but they limit this style of attack by shrinking the window an attacker can operate in. CISA has long pushed phishing-resistant MFA and tighter session controls for exactly this reason.

A few other practical moves help. Restrict or disable the device code flow if your organization does not use it. Set up emergency access accounts so you are never locked out while responding to an incident. And teach people one rule that defeats this entire attack: never enter a code on a Microsoft verification page unless you started that sign-in yourself, on your own device.

How Can You Harden the File and Workflow Layer?

Here is the honest framing. No vendor, and no product, prevents every Microsoft login attack. Identity compromise will happen. The smarter goal is to make sure a stolen token does not equal an open vault. That means hardening the layer where your data actually lives and moves.

This is the space we work in at PacGenesis. We help organizations secure the file and workflow layer around Microsoft 365, not replace it. On the storage side, we partner with Trend Micro to scan and protect cloud file storage, so malicious or exfiltrated content gets caught at the data layer rather than slipping through a trusted session. On the movement side, we work with IBM Aspera for secure enterprise file transfer, which keeps large and sensitive files moving with encryption and control built in, while preserving the throughput that makes Aspera the standard for big data sets that would crawl over ordinary transfer methods.

The thinking is simple. Identity is your perimeter. File security is your last line. When an attacker gets a token, your defense should not collapse to “well, they are inside now.” A hardened data and transfer layer means sensitive files are governed, monitored, and protected even when the login has already been compromised. That is the cybersecurity posture this new wave of phishing demands.

Where This Leaves You

The Kali365 warning is not really about one phishing kit. It is a signal that the attack surface has moved. We spent a decade locking the front door, and attackers responded by stealing the keys to every room behind it. Tokens are those keys. Treat them that way.

Tighten identity with conditional access, kill the device code flow if you do not need it, and train your people on the one habit that stops this cold. Then build the layer most organizations skip: real protection for the files, storage, and transfers that a compromised Microsoft 365 account can reach.

Key Things to Remember

• Kali365 steals tokens, not passwords. The FBI warned that this phishing-as-a-service platform captures Microsoft 365 OAuth tokens and can bypass multi-factor authentication without your credentials.
• The phishing page is real. Victims enter a device code on a legitimate Microsoft verification page, which authorizes the attacker’s device instead of logging the victim in.
• The damage spreads through your workflow. Once inside, an attacker can reach Outlook, Teams, OneDrive, and SharePoint, read sensitive mail, and send convincing phishing from your real address.
• MFA alone is not enough anymore. Because no password is stolen, your MFA check still passes. The token does the rest.
• Use conditional access policies. CISA and Microsoft recommend conditional access, shorter token lifetimes, disabling unused device authentication flows, and emergency access accounts to limit this style of attack.
• Harden the data layer. Identity compromise is inevitable, so protect the file and workflow layer too. PacGenesis helps with cloud file storage security through Trend Micro and secure, high-throughput enterprise file movement through IBM Aspera.
• Train the one rule. Never enter a code on a Microsoft verification page unless you personally started that sign-in on your own device.