Domain Search Form
£14.99
£33.98
£23.24
£41.99

FBI Warns Microsoft 365 Users About New Kali365 Phishing Attacks

Written by Giraffe Hosting Limited
Published 23 June 2026
FBI Warns Microsoft 365 Users About New Kali365 Phishing Attacks
Published: 23 June 2026
Category: 
Written by: Giraffe Hosting Limited
Businesses using Microsoft 365 services such as Outlook, Teams, and OneDrive are being urged to remain vigilant following an FBI warning about a growing phishing toolkit known as Kali365. Unlike traditional phishing campaigns, Kali365 is designed to bypass some of the protections that many organisations rely on, including multi-factor authentication (MFA). What Is Kali365? Kali365 […]

Table of Contents

Businesses using Microsoft 365 services such as Outlook, Teams, and OneDrive are being urged to remain vigilant following an FBI warning about a growing phishing toolkit known as Kali365.

Unlike traditional phishing campaigns, Kali365 is designed to bypass some of the protections that many organisations rely on, including multi-factor authentication (MFA).

What Is Kali365?

Kali365 is a phishing-as-a-service (PhaaS) platform reportedly being distributed through encrypted messaging channels. It provides attackers with ready-made tools that require little technical knowledge to operate.

Features reportedly include:

• AI-generated phishing emails

• Pre-built attack templates

• Real-time dashboards showing campaign activity

• Tools for capturing Microsoft authentication tokens

This lowers the barrier to entry for cybercriminals and allows less experienced attackers to launch convincing campaigns against businesses and individuals.

How The Attack Works

Many people believe that enabling MFA completely protects their accounts. While MFA remains one of the most effective security measures available, Kali365 attacks focus on stealing authentication tokens instead of passwords.

A typical attack follows these steps:

  1. The victim receives an email appearing to come from Microsoft or another trusted organisation.
  2. The email contains a link that directs the victim to what appears to be a genuine Microsoft sign-in page.
  3. The user signs in and completes the MFA challenge.
  4. The attacker intercepts OAuth access and refresh tokens generated during the process.
  5. Those tokens can then be used to access the victim's Microsoft 365 account without needing the password again or triggering another MFA request.

This could potentially give attackers access to:

• Outlook email accounts

• OneDrive files

• Microsoft Teams conversations

• SharePoint data

• Other connected Microsoft 365 services

Why Businesses Should Be Concerned

Many organisations rely heavily on Microsoft 365 for day-to-day operations.

An attacker who gains access to a mailbox can monitor conversations, intercept invoices, request fraudulent payments, and impersonate employees or directors.

Access to OneDrive or SharePoint may expose confidential documents, customer information and internal records.

Because these attacks use genuine Microsoft authentication pages, even security-conscious users may struggle to recognise them.

How To Protect Your Organisation

The FBI has issued several recommendations to reduce the risk posed by Kali365.

Restrict Device Code Authentication

Where possible, organisations should turn off device code flow authentication.

Businesses using Microsoft Entra ID can create Conditional Access policies to block device code flow for most users while allowing exceptions for essential business processes.

Review Authentication Transfer Policies

Authentication transfer settings should be reviewed and restricted where they are not required.

Protect Emergency Accounts

If device code authentication cannot be completely disabled, emergency access accounts should be excluded and monitored separately.

Train Staff To Recognise Phishing Attempts

Employees should be reminded to:

• Avoid clicking links within unexpected emails

• Visit Microsoft services directly through bookmarks or manually typed addresses

• Verify unusual requests through another communication channel

• Report suspicious emails immediately

Monitor Sign-in Activity

Administrators should regularly review Microsoft 365 sign-in logs for:

• Unusual locations

• Unknown devices

• Repeated authentication attempts

• Unexpected OAuth application permissions

MFA Is Still Essential

Despite this latest threat, multi-factor authentication remains one of the most effective ways to protect online accounts.

What Kali365 demonstrates is that cybercriminals are adapting their methods and looking for ways around existing protections.

Good security practices now require more than simply enabling MFA. Businesses should combine strong authentication methods with user awareness training, access controls and regular account monitoring.

Cyber threats continue to evolve, and staying informed remains one of the best defences available to organisations of all sizes.

Choose Giraffe Hosting Limited for your Domain Registration, Cloud Hosting, WordPress Hosting, and Virtual Private Server Hosting; Powered by renewable energy, contributed to sustainable growth.
Copyright © Giraffe Hosting Limited. 2007 – 2026 All rights reserved.
Explore
Services
Support