New Kali365 hacking platform bypasses multi-factor authentication, FBI warns Microsoft 365 users 

The FBI is sounding the alarm on Kali365. The FBI’s Internet Crime Complaint Center issued a public service announcement on May 21, 2026, warning about Kali365, a Phishing-as-a-Service platform first identified in April 2026. Kali365 spreads mainly through Telegram and lets attackers obtain Microsoft 365 access tokens, bypassing multi-factor authentication without ever stealing a password. 

Researchers documented hundreds of Kali365-linked attacks in April alone, spanning organizations across North America and Europe. For businesses running on Microsoft 365 (NASDAQ: MSFT), this advisory reframes what “secure login” actually means.

Why Kali365 Beats Multi-Factor Authentication

Kali365 enables threat actors to capture OAuth tokens and gain persistent access to Microsoft 365 accounts without intercepting any credentials. The distinction matters for every IT security team.

• Security researchers classify this as session hijacking, not a login attack, making standard password-based defenses ineffective.
• A stolen OAuth token grants direct access to Outlook, Teams, and OneDrive with zero password and zero MFA prompt.
• Conventional security tools often fail to flag this activity, since the access appears legitimate to Microsoft’s systems.
• A single stolen token can extend into other connected cloud apps, widening the blast radius of one compromised account.

How Affordable Cybercrime Has Become

A Subscription Model for Attackers

Kali365 operates as a subscription service, reportedly priced as low as $250 per month or $2,000 annually. That pricing puts a sophisticated attack toolkit within reach of low-skill operators.

The platform gives subscribers AI-generated phishing lures, automated campaign templates, and real-time dashboards for tracking targeted individuals. A separate operation tracked by Huntress targeted Microsoft 365 identities across more than 340 organizations in the US, Canada, Australia, New Zealand, and Germany, beginning in February 2026. The scale shows this is not an isolated incident.

Who’s Being Targeted Right Now

A separate campaign tracked by Arctic Wolf since early April found targets spanning manufacturing, education, insurance, financial services, healthcare, and government sectors. That campaign originated mainly from a single IP address, with activity spread across North America, Europe, the Middle East, and Africa. 

• Researchers also identified a similar platform called EvilTokens, also sold through Telegram, using fake login pages and Microsoft API automation. 
• EvilTokens uses templates built around common business notifications, including SharePoint access requests and password expiration messages. 
• Kali365 has already been used against hundreds of organizations since first appearing in April 2026.

What the FBI Recommends Organizations Do

The FBI’s advisory focuses on closing the specific authentication flow these kits exploit. Recommended defenses include moving beyond basic MFA toward Conditional Access policies and stronger identity hardening strategies. A key recommendation is creating Conditional Access policies that block device code authentication flow globally across the organization. 

Security experts also recommend adopting phishing-resistant MFA methods and ensuring stolen sessions can be revoked within minutes. These three changes directly target the mechanism Kali365 abuses, rather than relying on password strength alone.

Final Thoughts

Kali365 demonstrates that even well-secured environments with MFA enabled can still be compromised if identity controls aren’t properly configured. The shift from credential theft to token theft means businesses need to upgrade their defenses, not abandon MFA altogether. Organizations relying on Microsoft 365 should treat this FBI advisory as an immediate prompt to review Conditional Access settings. Acting before an incident occurs remains far less costly than responding after one. 

Disclaimer

The content shared by Meyka AI PTY LTD is solely for research and informational purposes. Meyka is not a financial advisory service, and the information provided should not be considered investment or trading advice.