Cybercrime is shifting to subscription tools, FBI warns Kali365 targets Microsoft 365 users bypassing MFA
FBI says platform is Phishing-as-a-Service shared on Telegram, enabling automated phishing on cloud accounts
Officials say system active since April 2026, distributed via Telegram, enabling large-scale automated attacks
What Is Kali365 & How Is It Targeting Microsoft 365 Users With Automated Phishing Attacks — Explained
The FBI warns Kali365 is being used through Telegram to run phishing attacks targeting Microsoft 365 users globally
Phishing Attacks on Cloud Users freepik
Summary
Advertisement
Cybercriminal activity is shifting towards subscription-based tools that simplify hacking, and a new Federal Bureau of Investigation (FBI) warning has highlighted a platform called Kali365 that is being used to target Microsoft 365 users by bypassing multi-factor authentication (MFA) systems.
According to the FBI, the platform functions as a “Phishing-as-a-Service” (PhaaS) model and is being shared through Telegram channels. It allows individuals with limited technical knowledge to run automated phishing operations on cloud-based accounts.
Officials said the system has been active since April 2026 and is being actively distributed through Telegram channels, and is built to support large-scale attacks using automated tools, ready-made templates and live monitoring features, as reported by Mint.
What Is Kali365?
Kali365 is a subscription-based cybercrime platform that bundles a number of phishing tools together into one ready-to-use system. It is designed to lower the technical barrier for attackers to target Microsoft 365 accounts without requiring advanced hacking skills.
Advertisement
The platform provides ready-made phishing tools that can be quickly deployed to launch large-scale attacks against cloud-based users. These tools are designed to simplify the process so that even non-technical users can carry out coordinated phishing attempts.
It also includes automated systems that allow attackers to manage multiple ongoing campaigns at the same time without needing manual control. This helps in running continuous attacks across different targets in an organised way.
In addition, the platform offers tracking panels that allow attackers to monitor targeted users and view activity in real time during an ongoing attack. This helps them adjust and manage their operations while the attack is active.
How Does Kali365 Operate?
Reports suggest the attack begins with e-mails that appear to come from trusted cloud or file-sharing services. The messages often urge users to complete a quick verification process.
Advertisement
Users are then taken to a page that looks like a genuine Microsoft sign-in screen and asked to enter a verification code. Once the code is entered, attackers can gain access to the user’s account activity without the person’s knowledge.
With that access, they may be able to use services such as Outlook, Teams and OneDrive. Because they are using an already approved login session, they can remain in the account for longer without triggering common security warnings.
This makes the intrusion harder to detect and allows continuous access until the session is manually revoked or expired.
Why Is Kali365 A Concern?
Security officials said the main risk comes from the way Kali365 avoids password theft and instead relies on stolen authentication tokens.
Since these tokens can continue working even after password changes, attackers may keep access active without immediate detection.
Advertisement
The FBI said this creates serious challenges for both users and cybersecurity teams, especially in identifying ongoing breaches.
The agency has also asked victims to report incidents through the Internet Crime Complaint Centre (IC3) at www.ic3.gov along with related phishing and login details.