
Businesses using Microsoft 365 services such as Outlook, Teams, and OneDrive are being urged to remain vigilant following an FBI warning about a growing phishing toolkit known as Kali365.
Unlike traditional phishing campaigns, Kali365 is designed to bypass some of the protections that many organisations rely on, including multi-factor authentication (MFA).
Kali365 is a phishing-as-a-service (PhaaS) platform reportedly being distributed through encrypted messaging channels. It provides attackers with ready-made tools that require little technical knowledge to operate.
Features reportedly include:
• AI-generated phishing emails
• Pre-built attack templates
• Real-time dashboards showing campaign activity
• Tools for capturing Microsoft authentication tokens
This lowers the barrier to entry for cybercriminals and allows less experienced attackers to launch convincing campaigns against businesses and individuals.
Many people believe that enabling MFA completely protects their accounts. While MFA remains one of the most effective security measures available, Kali365 attacks focus on stealing authentication tokens instead of passwords.
A typical attack follows these steps:
This could potentially give attackers access to:
• Outlook email accounts
• OneDrive files
• Microsoft Teams conversations
• SharePoint data
• Other connected Microsoft 365 services
Many organisations rely heavily on Microsoft 365 for day-to-day operations.
An attacker who gains access to a mailbox can monitor conversations, intercept invoices, request fraudulent payments, and impersonate employees or directors.
Access to OneDrive or SharePoint may expose confidential documents, customer information and internal records.
Because these attacks use genuine Microsoft authentication pages, even security-conscious users may struggle to recognise them.
The FBI has issued several recommendations to reduce the risk posed by Kali365.
Where possible, organisations should turn off device code flow authentication.
Businesses using Microsoft Entra ID can create Conditional Access policies to block device code flow for most users while allowing exceptions for essential business processes.
Authentication transfer settings should be reviewed and restricted where they are not required.
If device code authentication cannot be completely disabled, emergency access accounts should be excluded and monitored separately.
Employees should be reminded to:
• Avoid clicking links within unexpected emails
• Visit Microsoft services directly through bookmarks or manually typed addresses
• Verify unusual requests through another communication channel
• Report suspicious emails immediately
Administrators should regularly review Microsoft 365 sign-in logs for:
• Unusual locations
• Unknown devices
• Repeated authentication attempts
• Unexpected OAuth application permissions
Despite this latest threat, multi-factor authentication remains one of the most effective ways to protect online accounts.
What Kali365 demonstrates is that cybercriminals are adapting their methods and looking for ways around existing protections.
Good security practices now require more than simply enabling MFA. Businesses should combine strong authentication methods with user awareness training, access controls and regular account monitoring.
Cyber threats continue to evolve, and staying informed remains one of the best defences available to organisations of all sizes.